Category Archives: OEM

Book review : EM12c

OCM Oracle ACE Porus Homi Havewala wrote a new book on Cloud Control

Oracle Enterprise Manager Cloud Control 12c: Managing Data Center Chaos

It is a book about Enterprise Manager, but also a book about the Chaos.

There is no separation of roles [...] there is no DBA Designer (the Senior DBA) [...] and no DBA Operator (the Junior DBA). The Senior [...] does not even have the time [...] the Junior then decides to try out different things

It is also a book about em. And about 12c. No mention of 12cR2, which is massively more performant.

I have been using 12c for about one year and multiple topics are covered. There is not much said on the Incident Manager, which seems to be powerfull but it is for me more time consuming than acknowledging the alerts in 10g/11g.

There is a huge advantage of using 12c, to deploy new agents and new targets in very large shops.

I have setup the software library in offline mode (download with pc from metalink and load in em with emcli), the offline fashion is not documented. In all the places where I have been working, an internet communication between outside world (oracle.com) and database server is banned.

Lot’s of screenshots on Exadata. Not sure where the author could try it, the domain were grayed out (why not edit to example.com with Photoshop? )

There is a lot of content (almost 400 pages), to mention only a few : Real Time ADDM, Real Application Testing, Database deployment, data masking.

At the end of book you will enjoy the case studies. Reading thru the lines, it is not always success stories, but rather expectations that em will do the job

The bank also wanted to ensure that their data center was in compliance with security best practices.

As in any IT book, you do not have to read it from page 1 to page 379, myself I have no DB Machine so I could skip the largest chapter which is on Exadata. But it is a pleasant lecture.

The book is very friendly with Oracle. I have experienced awful performance in 12cR1 and Internet Explorer, some annoying and unavoidable java exceptions in the web interface and the dumbest requirement for me was to install cygwin, bash, ssh on one windows server only to deploy the agent!

I recommend the book, it is a good book

OEM 10gR3 is out!

emgrid 10.2.0.3 is not the second patchset of 10gR2, it is Oracle Enterprise Manager Grid Control Release 3.

Well, it is still called a patch set and must be applied to 10.2.0.1 or 10.2.0.2.

But it is a new release !

You can download the soft and the doc on otn
http://www.oracle.com/technology/software/products/oem/index.html

Out of the new features, you have a Linux pack for your Unbreakable Linux, Management pack for Siebel and Oracle Content Database, and also Linux Server Administration to manage your Linux (RHEL4 and SuSE9).

Monitoring the age of the last backup with OEM

My customer wants to receive alerts if a database has not been backed up (either unsuccessful backup or no backup) for ages.

As the customer have Oracle Enterprise Manager Grid Control 10gR2, I started using User Defined Metric (UDM) yesterday. Thanks Troy for his comment at OEM Generic Service

I would do 2 checks, backup of datafiles and backup of redo logs.

Here the steps :
- Open a database target (LSC01)
- Click on User-Defined-Metrics
- Create
- Metric Name = Age of datafile backup
- Type = Number
- Output = Single Value
- SQL Query : the age in hour since the oldest checkpoint time of the newest backup
select (sysdate-min(t))*24 from
(
  select max(b.CHECKPOINT_TIME) t
  from v$backup_datafile b, v$tablespace ts, v$datafile f
  where INCLUDED_IN_DATABASE_BACKUP='YES'
  and f.file#=b.file#
  and f.ts#=ts.ts#
  group by f.file#
)
- Credentials : dbsnmp/*****
- Threshold Operator > Warning 24 Critical 48
- Repeat every 1 hour
- OK

Same for redologs, with a name of Age of redolog backup query of
select (sysdate-max(NEXT_TIME))*24 from v$BACKUP_REDOLOG

I am not going to do this for each instance, so I will create a monitoring template
- Setup
- Monitoring Templates
- Create
- Select the target (LSC01)
- Name = Age of last backup
- Metric Threshold : remove all metrics except Age of datafile backup and Age of redolog backup
- Policies : remove all policies from template
- OK

Start applying your new metric to your databases.
- Apply
- Add
- Select all your databases
- Continue
- dbsnmp/*** (if you have the same database password for dbsnmp on all databases, it is easier)

It is now possible to define alerts.
- Preferences
- Notification Rules
- Create
- Apply to specific targets : Add you productive databases group
- Deselect Availability Down
- Metric: Add : Show all: Check User defined metric : Select : Age of datafile backup , Age of redolog backup
- Severity : Critical and Clear
- Policy : None
- Method : Email

After a while, you can monitor the metric with a historical graphic
User Defined Metric graph in OEM

OEM Generic service

I want to monitor the output of one script in OEM.

Let’s say my script is that easy :


#!/bin/ksh
echo $RANDOM

So I go to

  • OEM 10gR2 Grid Control
  • All Targets
  • Add Generic Service – Go
  • Name : random
  • Select System : EM Website System
  • Define availability based on: Service Test
  • Test Type: custom test
  • Name : random
  • Collection Frequency : 1 minute
  • Command line : /home/oracle/random.sh
  • Username : oracle
  • Password : oracle
  • Add Beacon : oemsrv01_beacon
  • Next – Next – Finish
  • That’s all, your generic service is ready. Wait a bit, you will see this in your targets list. You can then click on perform in your “random” homepage and chose “custom metric 1″ to have a graph of your values ($RANDOM).

    Happy Holidays !

    For those who like free games about skiing with really good graphics, check this :
    Ski Challenge 2007
    go to http://www.tsr.ch/tsr/index.html?siteSect=860020
    click Télécharger le jeu (about 41Mb)

    How To Add The Domain Name Of The Host To Name Of The Agent

    I have been looking for this note for ages : Metalink note 295949.1

    Now I know how to rename my targets in Grid Control! the trick is to stop the agent
    AH/emctl stop agent
    to remove the upload and state files/subdirectories

    
    cd AH/sysman/emd
    find state upload recv agntstmp.txt lastupld.xml protocol.ini -type f -exec rm {} ';'
    rm -r state/*

    to remove the agent in the grid
    
    col TARGET_TYPE for a17
    col TARGET_NAME for a60
    set lin 100 pages 0 emb on newp none head on autop on
    select TARGET_TYPE,TARGET_NAME
    from MGMT$TARGET
    where TARGET_TYPE='oracle_emd'
    order by TARGET_NAME;
    var target_name varchar2(40)
    prompt Enter the target_name to delete
    exec :target_name:='&TARGET_NAME';if (:target_name is not null) then mgmt_admin.cleanup_agent(:target_name); end if
    

    to edit the targets.xml
    vi AG/sysman/emd/targets.xml ### Get the source of the traditional vi
    to rename your targets (listener, host, db), and restart your agent
    AH/emctl start agent
    hth

    lock system, restrict dbsnmp

    An unlocked user is a security problem. Currently, all my unlocked users have only CREATE SESSION as system privilege, evtl ALTER SESSION.

    Except SYS, SYSTEM and DBSNMP

    To minimize this security problem, I implemented the following strategy on my test system.

    1) delete password file, set remote_login_passwordfile=NONE, O7_DICTIONARY_ACCESSIBILITY=FALSE
    2) alter user SYSTEM account lock;
    3a) in 10gR2 :
    alter user dbsnmp quota 1T on sysaux;
    create role secure_oem_role;
    grant advisor, analyze any, analyze any dictionary, create job, create procedure, create session, create table, manage any queue, select any dictionary to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_AQ” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_AQADM” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_DRS” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_MONITOR” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_SERVER_ALERT” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_SYSTEM” to secure_oem_role;
    grant EXECUTE on “SYS”.”DBMS_WORKLOAD_REPOSITORY” to secure_oem_role;
    exec SYS.DBMS_AQADM.GRANT_QUEUE_PRIVILEGE(‘DEQUEUE’, ‘ALERT_QUE’, ‘SECURE_OEM_ROLE’)
    revoke EXECUTE ON “SYS”.”DBMS_SERVER_ALERT” from dbsnmp;
    revoke EXECUTE ON “SYS”.”DBMS_SYSTEM” from dbsnmp;
    revoke UNLIMITED TABLESPACE from dbsnmp;
    revoke SELECT ANY DICTIONARY from dbsnmp;
    revoke CREATE PROCEDURE from dbsnmp;
    revoke CREATE TABLE from dbsnmp;
    revoke OEM_MONITOR from dbsnmp;
    grant secure_oem_role to dbsnmp;
    3b) in other versions, you probably can remove more and grant less, I think only in 10g it is necessary to have “quota”. In my other databases, dbsnmp have 0 segments.

    Check what system privileges are potentially dangerous to the system :

    select path
    from
    (
    select
    grantee,
    sys_connect_by_path(privilege, ‘:’)||’:'||grantee path
    from (select grantee, privilege, 0 role from dba_sys_privs union all select grantee, granted_role, 1 role from dba_role_privs)
    connect by privilege=prior grantee
    start with role=0
    )
    where
    grantee in (
    select username from dba_users
    where lock_date is null
    and password != ‘EXTERNAL’
    and username != ‘SYS’)
    or grantee=’PUBLIC’
    /
    :ADVISOR:SECURE_OEM_ROLE:DBSNMP
    :ANALYZE ANY:SECURE_OEM_ROLE:DBSNMP
    :ANALYZE ANY DICTIONARY:SECURE_OEM_ROLE:DBSNMP
    :CREATE JOB:SECURE_OEM_ROLE:DBSNMP
    :CREATE PROCEDURE:SECURE_OEM_ROLE:DBSNMP
    :CREATE SESSION:USER1
    :CREATE SESSION:USER2
    :CREATE SESSION:SECURE_OEM_ROLE:DBSNMP
    :CREATE TABLE:SECURE_OEM_ROLE:DBSNMP
    :MANAGE ANY QUEUE:SECURE_OEM_ROLE:DBSNMP
    :SELECT ANY DICTIONARY:SECURE_OEM_ROLE:DBSNMP

    it sounds better…

    10.1.0.4 management agent for Unix

    I just found in my RSS feed that a new agent has been released. 10.1.0.4 for AIX5L. Well, if you go to the OEM download page, you will see only 10.1.0.2 version for AIX, HPUX, Solaris Sparc. But by clicking on the link, for example
    Grid Control (10.1.0.2)
    for AIX5L Based Systems
    , you will find a link OEM 10g Grid Control Management Agent Release 1, from there I finally discovered that 10.1.0.4 agent download.

    Well, I already had 10.1.0.4, but it was a 10.1.0.2 installation patched with 10.1.0.4. So I prefer installing directly 10.1.0.4 agent.

    Not trivial to found, but hopefully, I subscribed to RSS feeds on Newest Downloads

    Grid without X

    We just received new PCs. Brand new with XP. Nice? Let’s see!

    As usual, I started my Exceed and logged on my AIX server. I tried to start the Grid Control Engine (opmn). Hard luck. Failed to start OC4J instance :-(

    The first problem is, when I installed the Grid, my old workstation DISPLAY name has been registered in opmn.xml!
    The second problem, my server has no graphic card, and no X server running.
    Actually, I do not need X on this server. But to let the Grid start, I will use Frame Buffer. In AIX, you install X11.vfb base package, then mkitab “xvfb:2:once:/usr/lpp/X11/bin/X -force -vfb :1 >tmp/x.txt 2>&1″ to start it at the next reboot. Start it now as well.
    Then edit your opmn.xml file and set the DISPLAY variable to localhost:1

    <variable id=”DISPLAY” value=”localhost:1″/>