Re: Monitoring multiple application servers with grid control

From: John Piwowar <jpiwowar_at_gmail.com>
Date: Mon, 14 Dec 2009 19:04:42 -0800
Message-ID: <b7fb88be0912141904t30b30fa6o9322a0e508464858_at_mail.gmail.com>



Okay, here we go. If it's this buried in a whitepaper, perhaps my calling this a "recommendation" was a tad strong. :-) Apologies for sowing misinformation; apparently my earlier read of the document left a stronger impression that was warranted.

The original document was an Oracle whitepaper, "Enterprise Manager Grid Control Security Deployment - Best Practices" that used to live at http://www.oracle.com/technology/products/oem/pdf/Security_Paper_OOW_06.pdf, which I haven't been able to find again on a quick search. My local copy reads,
"Securing the Agents
1. To protect against the possibility of users installing unauthorized agents, use one-time registration passwords that have a reasonable expiry date.
2. Install the latest CPUs. For more detail on this, please see recommendation #2 in the Securing the OMS section above. 3. Install the agent as a separate user
4. Support only impersonation based access to this account post installation"

The same section in the apparent successor document, found at http://www.oracle.com/technology/products/oem/pdf/twp_security_best_practices.pdf, reads:

"Securing the OMA
1. Install the agents via Grid Controlís Agent Deploy which uses the secure SSH
protocol.
2. To protect against the possibility of users installing unauthorized agents, use
one-time registration passwords that have a reasonable expiry date instead of
persistent registeration passwords.
3. Install the latest CPUs. For more details on this, please see recommendation #2
in the Securing the OMS section above.
4. Install the agent as a separate user from OMS installation and support only
impersonation based access to this account such as sudo or PowerBroker post installation. "

-- 

Regards,

John P.

On Mon, Dec 14, 2009 at 11:41 AM, John Piwowar <jpiwowar_at_gmail.com> wrote:


> Let's try that again; who knew that accidental combination of keystrokes
> would send a message? :-P
>
> It was a recommendation from a security whitepaper; my link to it is now
> broken, so maybe the opinion has been revised, but based on the filename it
> seems to be from OpenWorld 2006. I'll see if I can dig up a working
> reference.
>
> --
>
> Regards,
>
> John P.
>
> On Mon, Dec 14, 2009 at 11:14 AM, Niall Litchfield <
> niall.litchfield_at_gmail.com> wrote:
>
>> Where is the recommendation? I've not seen it, and would be surprised
>> by it for among others the reasons you give.
>>
>> On 12/14/09, John Piwowar <jpiwowar_at_gmail.com> wrote:
>> > If you follow Oracle's recommendation to install the agent software as a
>> > different OS user than software to be monitored, you may have file
>> > permission issues that lead to problems with target discovery. My
>> Oracle
>> > Support Doc 437078.1 covers this topic. There's a section in the Grid
>> > Control release notes that discusses this as well.
>> >
>> > Regards,
>> >
>> > John P.
>> >
>> >
>> > On Sun, Dec 13, 2009 at 11:44 PM, Niall Litchfield <
>> > niall.litchfield_at_gmail.com> wrote:
>> >
>> >> The agent should detect oracle app servers and oc4j instances out of
>> >> the box, if it doesn't target discovery is the keyword to search for
>> >> on metalink
>> >>
>> >> On 12/14/09, Domagoj Smoljanovic <dsmoljanovic_at_ieee.org> wrote:
>> >> > Not yet. We will have. Does the agent autodetect everything or do i
>> need
>> >> to
>> >> > add manualy application servers? And what about solo OC4J instances?
>> >> >
>> >> > On Fri, Dec 11, 2009 at 8:13 PM, <lyallbarbour_at_sanfranmail.com>
>> wrote:
>> >> >
>> >> >> have you got Agents installed on those servers? There's a Mass
>> >> Deployment
>> >> >> Agent for download from Oracle
>> >> >>
>> >> >>
>> >> >>
>> >>
>> http://www.oracle.com/technology/software/products/oem/htdocs/agentsoft.html
>> >> >>
>> >> >> Lyall
>> >> >>
>> >> >>
>> >> >> -----Original Message-----
>> >> >> From: Domagoj Smoljanovic <dsmoljanovic_at_ieee.org>
>> >> >> To: oracle-l_at_freelists.org
>> >> >> Sent: Fri, Dec 11, 2009 1:52 pm
>> >> >> Subject: Monitoring multiple application servers with grid control
>> >> >>
>> >> >> Hi all.
>> >> >>
>> >> >> Is there a guide or documentation on how to add and configure
>> >> >> application
>> >> >> server targets for monitoring on Grid Control? We'd like to add
>> >> everything
>> >> >> to one monitoring portal, but I can't find the procedure needed to
>> do
>> >> >> this.
>> >> >> We have application server installations as well as simple OC4J
>> >> instances
>> >> >> running on different servers.
>> >> >> I did search the web, but couldn't find anything.
>> >> >>
>> >> >> Thank you in advance,
>> >> >> Domagoj
>> >> >>
>> >> >>
>> >> >
>> >>
>> >> --
>> >> Sent from my mobile device
>> >>
>> >> Niall Litchfield
>> >> Oracle DBA
>> >> http://www.orawin.info
>> >> --
>> >> http://www.freelists.org/webpage/oracle-l
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > jp
>> >
>> > John E. Piwowar
>> > Bright, early, John...pick any two
>> >
>>
>> --
>> Sent from my mobile device
>>
>> Niall Litchfield
>> Oracle DBA
>> http://www.orawin.info
>>
>
>
>
>
>
>
>
-- http://www.freelists.org/webpage/oracle-l
Received on Mon Dec 14 2009 - 21:04:42 CST

Original text of this message