Ensure the availability of an ExaCLI user to access and monitor the storage servers

The Management Agent used to connect to the storage servers requires ExaCLI credentials to collect metrics through the storage server's REST endpoint.

Recommended option: It's recommended that you use the out-of-the-box cellmonitor user.

Secondary option: You also have the option of creating a new ExaCLI administrative user. If you choose to create a new ExaCLI administrative user, then the new user must be created in all storage servers. Also, the new user must have list privileges on all objects. For example:

> ssh root@<storage server>
> cellcli

CellCLI> CREATE ROLE monitor
CellCLI> GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor
CellCLI> CREATE USER mycellmon password=*
CellCLI> GRANT ROLE monitor TO USER mycellmon

To create a new ExaCLI user across multiple storage servers using the dcli utility:

dcli -l <OS User> -c <storage_server_1>,<storage_server_2>,... "cellcli -e CREATE ROLE monitor; cellcli -e GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor; cellcli -e CREATE USER mycellmon password=*; cellcli -e GRANT ROLE monitor TO USER mycellmon"

For information on how to:

• Create a new ExaCLI administrative user, see Creating Users for Use with ExaCLI in Oracle Exadata Database Machine Maintenance Guide.
• Use CellCLI utility, see Using the CellCLI Utility in Oracle Exadata Database Machine User's Guide.
• Use dcli utility, see Using the dcli Utility in Oracle Exadata Database Machine User's Guide.

Ensure the availability of the storage server's SSL certificate in the Management Agent truststore

The SSL certificates are required to confirm the identity of the storage servers in the Exadata Infrastructure to the Management Agent. The communication between the storage servers and the Management Agent uses HTTPS and requires the storage server's SSL certificates in the Management Agent's truststore.

Before you import the storage server's SSL certificate to the Management Agent's truststore, it's recommended that you test the SSL certificate against the storage server REST endpoint in the agent host:

curl -u [cellmonitorUserName:cellmonitoruserpassword] --cacert [certificate file] 'https://[storage_server_name]:[port]/MS/RESTService/?cmd=list+cell'

For example:

curl -u monitor_user1:monitor_password --cacert ./my_storage_server.pem 'https://my_storage_server:443/MS/RESTService/?cmd=list+cell'

To import the storage server's SSL certificate to the Management Agent's truststore:

1. Obtain the storage server's SSL certificate. To download the certificate from the storage server:

   echo | openssl s_client -showcerts -servername [storage_server_name] -connect [storage_server_name:port] 2>/dev/null | openssl x509 -out storage_server_certificate.pem

2. Add the storage server's SSL certificate to a truststore on the Management Agent node. If you already have a truststore created on the Management Agent node, then you can reuse it. To create a new truststore or to add the SSL certificate to an existing truststore:

   keytool -importcert -alias [storage_server_name] -file [path_to_storage_server_certificate.pem] -trustcacerts -keystore /path/to/truststore -storetype JKS

When adding a connection to monitor the storage server using Database Management, you must provide the truststore file location. For information, see Add Connections to Storage Servers.

Note that if you're using custom SSL certificates with a common domain name for all storage servers, where all storage servers are using the same certificate, then you only need to import that certificate once into the truststore (if using the same Management Agent to monitor multiple storage servers).