Chapter 3 Administering Oracle VM Manager
Administering Oracle VM Manager involves creating, deleting, and working with user accounts, modifying database schema, rotating log files, and capturing diagnostic information for troubleshooting.
3.1 Oracle VM Manager Administrator Tool (ovm_admin)
The Oracle VM Manager Administrator Tool, which can be invoked on the command
line using the ovm_admin command, is used to
perform administrative actions specific to Oracle VM Manager. These actions
allow you to manage users that have access to the Oracle VM Manager data
store, and control log rotation for the
AdminServer.log
file. To perform any action
using the Oracle VM Manager Administrator Tool, you must use the password
that is configured for the
weblogic
user.
The Oracle VM Manager Administrator Tool provides you with the ability to perform various user management functions directly from the command line. By default, the Oracle VM Manager installation process only creates and configures a single Oracle VM Manager administrative user. While this is often sufficient for many customers, creating separate administrative user accounts may be useful for security and auditing purposes.
The Oracle VM Manager Administrator Tool is installed as part of the default Oracle VM Manager installation process. The full path to the Oracle VM Manager Administrator Tool is:
/u01/app/oracle/ovm-manager-3/bin/ovm_admin
Syntax
ovm_admin
[
--help
] [
--createuser
] [
--deleteuser
] [
admin
--listusers
] [
--modifyuser
] [
--modifyds
] [
--listds
] [
--lockusers
] [
tries
--unlockuser
] [
admin
--listconfig
] [
--rotatelogsdaily
] [
HH:MM
--rotatelogsbysize
] [
KB
--updatemysqlroot
]
Options
The following table shows the available options for this command.
Option |
Description |
---|---|
|
Display the ovm_admin command parameters and options. |
|
Displays Oracle VM Manager configuration details. |
|
List the Oracle VM Manager users. For an example of how to list users, see Section 3.1.1, “Listing Users”. |
|
Create new Oracle VM Manager admin user. For an example of how to create a user, see Section 3.1.2, “Creating Users”. |
|
Delete an Oracle VM Manager admin user. For an example of how to delete a user, see Section 3.1.3, “Deleting Users”. |
|
Modify an Oracle VM Manager user password. For an example of how to change a user's password, see Section 3.1.4, “Changing User Passwords”. |
|
Set the maximum login tries before locking accounts. This setting is global. For an example of how to change account locking, see Section 3.1.5, “Configure Account Locking”. |
|
Unlock a user account. For an example of how to unlock a user account, see Section 3.1.6, “Unlocking User Accounts”. |
|
List Oracle VM Manager data sources. For an example of how to list data sources, see Section 3.1.7, “Listing Data Sources”. |
|
Modify an Oracle VM Manager database schema. Typically used if the password for the MySQL database has been changed directly within MySQL. For an example of how to modify database schema, see Section 3.1.8, “Modifying the Oracle VM Manager Database Schema”. |
|
Rotate the Oracle VM Manager application logs daily (HH:MM). For examples of rotating log files, see Section 3.1.9, “Rotating Log Files”. |
|
Rotate the Oracle VM Manager application logs by size (KB). For examples of rotating log files, see Section 3.1.9, “Rotating Log Files”. |
|
Change the password for the MySQL root user. The Oracle VM Manager Administrator Tool connects to the MySQL database as the root user. This option changes the password that the Oracle VM Manager Administrator Tool uses for the root user but does not change the password in the database itself. For this reason, you must first change the password with the Oracle VM Manager Administrator Tool and then manually change the password in the database. You should review the best practices and considerations for this option before you change the password, see Section 3.1.10, “Changing the Password for the MySQL Root User”. |
3.1.1 Listing Users
Obtain a list of users that have access to Oracle VM Manager with the following command:
# ./ovm_admin --listusers
The tool prompts you for the Oracle WebLogic Server password and returns output similar to the following:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic: Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help('domainConfig') weblogic, admin,ovmuser
Some users stored within Oracle WebLogic Server are critical to your Oracle VM Manager environment, such as the following:
-
OracleSystemUser: Used by Oracle Web Services Manager (OWSM). OWSM is part of the standard Oracle Fusion Middleware (FMW) Infrastructure, that includes ADF.
-
weblogic: The default Oracle WebLogic Server administrative user.
The default admin user account is also
typically listed. Any other user accounts listed, such as the
ovmuser
account, have been added to the
system after installation.
For more information about default user accounts, see Section 4.1, “Default Oracle VM Manager Users”.
3.1.2 Creating Users
Create new Oracle VM Manager users with the following command:
# ./ovm_admin --createuser
The tool returns the following output:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic:
At this point you must enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
Please enter the username:ovmuser
Please enter a new password forovmuser
, this password must be at least 8 characters long and must contain at least one non-alphabetic character: Please re-enter the password: Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help('domainConfig')date_time
[main] INFO ovm.wlst.domainbuilder.Domain - Created a user namedovmuser
The must conform to the password requirements suggested by the Oracle VM Manager Administrator Tool or the creation of the user fails in the final step.
3.1.3 Deleting Users
Delete Oracle VM Manager administrative users with the following command:
# ./ovm_admin --deleteuser ovmuser
You are prompted for the Oracle WebLogic Server password. This is the password for the Oracle WebLogic Server as it was set up during installation. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password. Typical output is presented below:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic: Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help('domainConfig')date_time
[main] INFO ovm.wlst.domainbuilder.Domain - Deleted the user namedovmuser
Some users stored within Oracle WebLogic Server are critical to your Oracle VM Manager environment. Do not attempt to delete either of the following users:
-
OracleSystemUser
-
weblogic
You should also keep the default admin user account so that there is always at least one administrative account that can access Oracle VM Manager.
3.1.4 Changing User Passwords
Change any Oracle VM Manager administrative user's password with the following command:
# ./ovm_admin --modifyuser
The tool returns the following output:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic:
At this point you must enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
Please enter the username: ovmuser
Please enter the password for ovmuser:
You must provide the user's current password to modify the user account.
If you need to reset an account due to a lost password, you should first delete the user account and then create a new account.
Please enter a new password for ovmuser, this password must be at least 8 characters long and must contain at least one non-alphabetic character: Please re-enter the password:
The password must conform to the password requirements suggested by the Oracle VM Manager Administrator Tool or the creation of the user fails in the final step.
Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help('domainConfig')
date_time
[main] INFO ovm.wlst.domainbuilder.Domain - Changed ovmuser's password
3.1.5 Configure Account Locking
To protect unauthorized access to Oracle VM Manager you can configure an account locking facility that is triggered after a number of failed attempts to log in.
Configure the account locking facility with the following command:
# ./ovm_admin --lockusers [3]
Account locking is enabled by default according to the base Oracle WebLogic Server configuration. After you exceed the maximum number of invalid login attempts, the account is locked for 30 minutes before it is automatically unlocked again.
To change the lock period, you must edit the Oracle WebLogic Server configuration. For more information on configuring the Oracle WebLogic Server lockout parameters, refer to the appropriate Oracle WebLogic Server documentation.
This is a global parameter that applies to all users. Setting this parameter on an instance of Oracle VM Manager that makes use of a single administrator account can result in this account being locked for 30 minutes before anybody can use it again. To recover from this is it is possible to unlock the account. See Section 3.1.6, “Unlocking User Accounts”.
You are prompted to enter the Oracle WebLogic Server password in order to apply this setting. Typical output from the command follows:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic: Location changed to edit tree. This is a writable tree with DomainMBean as the root. To make changes you will need to start an edit session via startEdit(). For more help, use help('edit') Starting an edit session ... Started edit session, please be sure to save and activate your changes once you are done.date_time
[main] INFO ovm.wlst.domainbuilder.Domain - Set lockout threshold to 3 tries Saving all your changes ... Saved all your changes successfully. Activating all your changes, this may take a while ... The edit lock associated with this edit session is released once the activation is completed. The following non-dynamic attribute(s) have been changed on MBeans that require server re-start: MBean Changed : Security:Name=myrealmUserLockoutManager Attributes changed : LockoutThreshold Activation completed
You must restart Oracle VM Manager for the changes to the account locking facility to take effect, as follows:
# service ovmm restart
3.1.6 Unlocking User Accounts
When account locking is enabled (see Section 3.1.5, “Configure Account Locking”), it is possible for Oracle VM Manager user accounts to become locked for up to 30 minutes if a user fails to authenticate after the number of attempts that has been configured for this facility. When a user's account has become locked and the user enters the correct username and password combination, an error appears when the user attempts to authenticate:
Unexpected error during login (javax.security.auth.login.LoginException), please consult logs for details.
An investigation of the AdminServer.log
reveals:
>BEA-090078< >User ovmuser
in security realm myrealm
has had 3 invalid login attempts, locking account for 30 minutes.<
You can override the 30 minute lock on an account with the following command:
# ./ovm_admin --unlockuser ovmuser
You are prompted for the Oracle WebLogic Server account password in order to complete the operation.
3.1.7 Listing Data Sources
Use this command option to check data sources before using the
--modifyds
option or to validate the result of a
--modifyds
operation.
Obtain a list of data sources that Oracle VM Manager uses with the following command:
# ./ovm_admin --listds Oracle VM Manager Releaseversion
Admin tool //u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic:
At this point you must enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
The tool prompts you to enter the MySQL user that should be used to query the database and then provides output similar to the following:
Please enter the name of a MySQL user: [appfw, ovs] ovs Listing Oracle VM Manager Data Source 'ovm-jpa-ds'... DriverName com.mysql.jdbc.Driver Url jdbc:mysql://localhost:49500/ovs DatabaseName ovs Listing Oracle VM Manager Data Source 'ovm-jpa-ds' successfully Listing Oracle VM Manager Data Source 'ovm-odof-ds'... DriverName com.mysql.jdbc.Driver Url jdbc:mysql://localhost:49500/ovs DatabaseName ovs Listing Oracle VM Manager Data Source 'ovm-odof-ds' successfully
3.1.8 Modifying the Oracle VM Manager Database Schema
You can use the Oracle VM Manager Administrator Tool to handle database schema changes within MySQL. The most typical use case for this is where the password for the Oracle VM Manager database has been changed directly within MySQL, without using any of the tools provided with Oracle VM. An alternative use case would be where the Oracle VM Manager database has been renamed within MySQL.
The --modifyds
option is used to update Oracle VM Manager
for changes made directly to the MySQL database:
# ./ovm_admin --modifyds
The tool prompts you for the Oracle VM Manager database schema password and the Oracle WebLogic Server password, and returns output similar to the following:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic:
At this point you must enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
Please enter the name of a MySQL user: [appfw, ovs] ovs Please enter the password for MySQL user ovs: Please enter the new password for ovs user: Please re-enter the password: Location changed to edit tree. This is a writable tree with DomainMBean as the root. To make changes you will need to start an edit session via startEdit(). For more help, use help('edit') Starting an edit session ... Started edit session, please be sure to save and activate your changes once you are done. Saving all your changes ... Saved all your changes successfully. Activating all your changes, this may take a while ... ...... The following non-dynamic attribute(s) have been changed on MBeans that require server re-start: MBean Changed : com.bea:Name=ovm-odof-ds, Type=weblogic.j2ee.descriptor.wl.JDBCDriverParamsBean,Parent=[ovm_domain] /JDBCSystemResources[ovm-odof-ds],Path=JDBCResource[ovm-odof-ds]/JDBCDriverParams Attributes changed : PasswordEncrypted Activation completed
Note that there is a second database schema, usually named appfw, that is also used by Oracle VM Manager. If the password for this database has also been changed, then the same command must be run again, as follows:
Oracle VM Manager Releaseversion
Admin tool /u01/app/oracle/ovm-manager-3/ovm_wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic:
At this point you must enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
Please enter the name of a MySQL user: [appfw, ovs] appfw Please enter the password for MySQL user appfw: Please enter the new password for appfw user: Please re-enter the password: Location changed to edit tree. This is a writable tree with DomainMBean as the root. To make changes you will need to start an edit session via startEdit(). For more help, use help('edit') Starting an edit session ... Started edit session, please be sure to save and activate your changes once you are done. Saving all your changes ... Saved all your changes successfully. Activating all your changes, this may take a while ... ...... The following non-dynamic attribute(s) have been changed on MBeans that require server re-start: MBean Changed : com.bea:Name=ovm-qrtz-ds, Type=weblogic.j2ee.descriptor.wl.JDBCDriverParamsBean,Parent=[ovm_domain] /JDBCSystemResources[ovm-qrtz-ds],Path=JDBCResource[ovm-qrtz-ds]/JDBCDriverParams Attributes changed : PasswordEncrypted Activation completed
When you have finished running this command, you must restart Oracle VM Manager as follows:
# service ovmm restart # service ovmcli restart
3.1.9 Rotating Log Files
The Oracle VM Manager Administrator Tool allows you to control how and when log files are rotated. There are two options available:
-
--rotatelogsdaily: Set the logs to be rotated on a daily basis at an allocated time.
-
--rotatelogsbysize: Set the logs to be rotated when they reach a specified size.
In both cases, you are prompted for the Oracle WebLogic Server password to update the configuration.
Rotating Oracle VM Manager logs daily
To set the logs to rotate daily at an allocated time, run the Oracle VM Manager Administrator Tool as follows:
# ./ovm_admin --rotatelogsdaily [00:30]
The time provided is specified in the format
HH:MM
.
Typical output from the command follows:
Oracle VM Manager Release version
Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to Oracle WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to Oracle WebLogic Server ...
Connected ...
Configure log rotation setting to rotate daily at [00:30] ...
Modified log rotation setting successfully ...
Exiting...
Rotating Oracle VM Manager logs by size
To set the logs to rotate when they reach a specified size, run the Oracle VM Manager Administrator Tool as follows:
# ./ovm_admin --rotatelogsbysize [1024]
The size provided is specified according to the number of kilobytes before rotation.
Typical output from the command follows:
Oracle VM Manager Release version
Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to Oracle WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to Oracle WebLogic Server ...
Connected ...
Configure log rotation setting to rotate the logs based on size ([1024] KB) ...
Modified log rotation setting successfully ...
Exiting...
3.1.10 Changing the Password for the MySQL Root User
You can change the password for the MySQL root user that the Oracle VM Manager Administrator Tool uses to connect to the MySQL database instance.
The Oracle VM Manager Administrator Tool connects to the MySQL server as the root user. This option changes the password that the Oracle VM Manager Administrator Tool uses for the root user but does not change the password in the database itself. For this reason, you must first change the password with the Oracle VM Manager Administrator Tool and then manually change the password in the database.
Change the password for the MySQL root user as follows:
-
Run the Oracle VM Manager Administrator Tool with the
--updatemysqlroot
option.# ./ovm_admin --updatemysqlroot
The tool returns the following output:
Oracle VM Manager Release
version
Admin tool Initializing WebLogic Scripting Tool (WLST) ... Welcome to Oracle WebLogic Server Administration Scripting Shell Type help() for help on available commandsdate_time
[main] INFO ovm.wlst.commands - Connecting using URL t3://localhost:7001 Please enter the password for weblogic: -
Enter the password for the Oracle WebLogic Server. If you have not changed the Oracle VM Manager admin user's password, this password is usually the same as your default Oracle VM Manager admin user's password.
The Oracle VM Manager Administrator Tool prompts you with the following:
Please enter the current password for MySQL user root:
-
Enter the current password for the MySQL root user.
The Oracle VM Manager Administrator Tool prompts you with the following:
Please enter the new password for MySQL user root: Please re-enter the password:
-
Enter the new password for the MySQL root user and then confirm the password.
The command provides the following output:
date_time
[main] INFO ovm.wlst.domainbuilder.Domain - Updated MySQL root password successfully in WebLogic! Please note that you must separately update the password in the database -
Stop Oracle VM Manager.
# /etc/init.d/ovmm stop
-
Manually change the password in the database so that it matches the password that you set with the Oracle VM Manager Administrator Tool, as follows:
-
Connect to the MySQL server.
# mysql -S /u01/app/oracle/mysql/data/mysqld.sock -u root -p
-
When prompted, enter the previous password for the root user, not the new password that you set with the Oracle VM Manager Administrator Tool.
-
Ensure you are using the MySQL database.
$ mysql> use mysql;
-
Change the password for the root user.
$ mysql> update user set password=PASSWORD("
new_password
") where User='root'; -
Flush privileges.
$ mysql> flush privileges;
-
Disconnect from the MySQL server.
$ mysql> quit
-
-
Restart the MySQL service for Oracle VM Manager.
# /etc/init.d/ovmm_mysql restart
-
Start Oracle VM Manager.
# /etc/init.d/ovmm start
3.2 Working with the MySQL Instance
Oracle VM Manager uses an instance
of MySQL Enterprise Edition for storing configuration and other
data. Database files reside at
/u01/app/oracle/mysql/data
.
Starting, Stopping, and Checking Status of the MySQL Server
Oracle VM Manager depends on a running instance of the MySQL server. You should not stop the MySQL server while Oracle VM Manager is running unless you are troubleshooting issues or configuring the MySQL server.
To start, stop, restart and obtain the status of the MySQL server,
you can use the /etc/init.d/ovmm_mysql
init
script as follows:
# /etc/init.d/ovmm_mysql restart
Alternatively, you can use the service command as follows:
# service ovmm_mysql start
MySQL Configuration and Event Logs
Configuration for the Oracle VM Manager MySQL server is contained in:
/u01/app/oracle/mysql/data/my.cnf
.
Editing the configuration file might break your Oracle VM Manager installation. Do not edit the configuration file unless an Oracle Support representative instructs you to do so.
MySQL server events are logged in:
/u01/app/oracle/mysql/data/mysqld.err
.