Ralf DurbenBusiness Unit Datenbank

Oracle Corporation

Realize Immediate Value

� Grid Control– Management of all the Oracle Grid components– Centrally manage entire enterprise– Out-of-box management for all Oracle products

� Product Controls– Fully functional standalone management– Out-of-box with each product

g

� Zero-implementation, Zero time-to-value� Access by Anybody, Anywhere� Open Repository Schema� Easy extensibility and customization� Support of Standards� Scalability, robustness and self-maintenance

Fire

wal

l

Mobile Device

HTML Console

PortalsHTTP/S

HTTP/S

HTTP/S

HTTP/S

Open Repository

Manage from Anywhere

� Installed in a private oracle home via– Regular install off a CD/Stage– Download from central Management Server

� Controlled by: emctl start|stop|status agent� Typically started at bootup time� By default occupies port 1813 (http/s)

(Continued)

� Runtime consists of:– Persistent emagent process– Periodic, short-lived processes (due to OSCmd

fetchlet)– Lightweight Watchdog process that monitors and

corrects

From OMS

Upload Data & HeartbeatingReceive Commands:Config changes, Realtime Metric ValuesRemoreOp Submission

Scheduler

Self Monitor Metadata Mgr

Target Inv.

To OMS

State MgrAgent Services

Fetchlet EngineOS CmdSQL

SNMPHTTP

� Installed in private oracle home along with all its dependencies

� Controlled via: emctl start|stop|status oms� Runtime consists of:

– Apache Server – Oracle’s J2EE Container (OC4J) with EM App– Lightweight Watchdog process that monitors and

corrects

Data and Heartbeat ReceiverAgent Client Layer:�Configuration changes

�Real time metrics�Remote Ops submission

Console User Interface (JSPs / Servlets)

To R

epos

itory

To Agent From Agent

Console Access

Data LoaderSelf MonitorJob DispatcherNotification Dispatcher

� Installed within an Oracle database– For large scale, it should be a dedicated database

� Consists of data storage structures plus pl/sql code that executes on demand or on schedule

� Performs the following operations:– Historical data summarization and purging– Availability calculations – Notification queuing and dispatching– Job scheduling

Browser OMS

EM Repository

Managed Target

https

Managed Target

agentagent

https

net - ASO

icmpNet - ASO

Extensibility

AgentAgent

1. Define and instrument target metrics 1

Agent

ActiveManagementRepository

2. Build custom UI’s and Report through Repository

Access2

3. Extend Console UI 3

EM Black Box

� Extend EM to mange to custom applications– Add new managed target types

� Ex: 3rd party Application management– Add metrics to existing target types

� Ex: Site-specific host monitoring � Extend EM for comprehensive management

– Custom reporting based on EM Repository data� Ex: Service Level Reporting

– Custom job system � Ex: Scriptable EM commands via the CLI

� Integrate EM with 3rd party management products– Custom alert notification methods

� Ex: Link to trouble-ticketing system– Customize GUI for existing target types

� Ex: Link in-context to 3rd party tools

User Access

� User Security– The breadth of management tasks available in

Enterprise Manager depends on the privilegesand roles assigned to the administrators.

� Default Users:– SYSMAN - is created by default during the installation of

Oracle Enterprise Manager. The SYSMAN Super Administrator then creates other administrator accounts for daily administration work. The SYSMAN account should only be used to perform infrequent system wide, global configuration tasks.

– SYS - database users defined in the Management Repository after install

– SYSTEM - database users defined in the Management Repository after install

� By default during the installation of Oracle Enterprise Manager, one Super Administrator is created with the username of SYSMAN.

� A Super Administrator has the ability to perform all of the following tasks:

– Ability to create, modify and delete any Enterprise Manager administrator.

– Ability to create any role in the system.– Ability to perform any action on any target in the system.– Ability to see all areas of the Management System primary

tab.

� System Privileges - allow a user to perform system wide operations within Enterprise Manager 10g Grid Control.

– VIEW ANY TARGET– ADD ANY TARGET– USE ANY BEACON– MONITOR ENTERPRISE MANAGER

� Target Privileges - allow a user to perform operations on a specific target within Enterprise Manager 10g Grid Control.

– VIEW - Allows the administrator to view properties, inventory and monitor information about a target.

– OPERATOR - Allows the administrator to perform Startup, Shutdown, and Edit target properties operations on a target.

– FULL - Implicitly grants all the target privileges and allows the administrator to 1) Delete a targetand 2) Configure credentials for maintenance operations of a target

– ADD TARGET IN GROUP - Allows the administrator to add a target in a specific group and to grant privileges on a group. The privileges are propagated.

– MANAGE TARGET GROUP - Allows the administrator to add a target in a specific target group or delete a target from a specific target group.

EM2Go

� To facilitate wireless access to performance and diagnostics information

� To enable a DBA to perform a corrective action from a wireless device on occurrence of an event.

� Perform basic administration tasks from a wireless device.

EM 10g

EM2Go

Downloadable agent installs– Installs from central OMS site containing agent

binaries on all ports– Uses scripted ‘pull’ install via OUI in silent mode– Script can be wrapped to automate delivery to

multiple nodes

� Goal: 2000 hosts, 100 concurrent users

� Deployment Suggestion:– 3 OMS Lintel boxes (Dell 1650) behind an SLB– 2 Repository Lintel boxes (Dell 2650) running RAC– Fast Disk subsystem, striped, mirrored (NetApps)– DR solution based on physical standby database

� Total hardware cost: Less than $50K

� Installation of EM10g Agent– Automated using EM9i Job System

� Repository Migration captures EM9i Information:– Administrators– Preferred Credentials– Roles– Groups– Hosts– Databases– Listeners

� EM9i and EM10g can be run in tandem– Migration can be implemented incrementally– Simplifies transition to the EM10g Grid Control Framework

Existing EM9i Environment

Enterprise Manager 9i

Step One…Install EM10g

Enterprise Manager 9i Enterprise Manager 10.1

HTML Console

Step Two…Install EM10.1 Management Agent

Enterprise Manager 9i Enterprise Manager 10.1

HTML Console

Step Three…Migrate Repository Data

Enterprise Manager 9i Enterprise Manager 10.1

HTML Console

Step Four…Customize Metric Thresholds

Enterprise Manager 9i Enterprise Manager 10.1

HTML Console

System Monitoring

� Monitoring of Oracle Eco-system

� Complements ASLM for end-to-end monitoring

� Critical performance rollups� “Need to know” management

� Application availability

Applications

HomogenousLogical Sets

� Monitor from anywhere via HTML-based Console� Immediate Out-of-Box value:

– Real time monitoring– Predefined metrics with Oracle-recommended defaults– Historical collections for trend analysis– Out-of-box notifications for critical alerts

� Enhanced Diagnostics– Alerts shown in context of metric history– Can compare metrics across targets for problem isolation

� Enhanced Availability monitoring– Breakdown of availability states over past day, week, month– Blackouts for scheduled maintenance periods

� Can use EM baselines as aid to thresholding– EM calculates thresholds based on deviations from past target

performance� Notifications

– Supports: E-mail, OS script, PL/SQL script, SNMP traps– E-mail message has context-sensitive link to metric details in

EM Console� User Defined Metrics

� User-defined monitoring policies (templates)� Enhanced real-time graphs� Availability enhancements

– Allow users to specify window for SLA calculations� Notification enhancements:

– Customize messages– Repeat notifications / Notification Escalations

� Integration with 3rd party management vendors

Job System

� Basic job system functionality� Support group operations

� Distributed architecture� Execute simple or complex tasks across

100’s of systems� Easy to use and scalable� Pre-packaged jobs

– Backup, export/import, patch, clone…

� Ad hoc jobs – Custom Host or SQL scripts– Support for Group targets

EM 10gJob System

� Operational control– Use of preferred credentials– Stop / Retry / Resume & Suspend– Simple purge policy

� Job Access privileges for cooperative management

� Job Library

EM 10gJob System

� Notification support

� User-defined multi-task jobs across different hosts– Support dependencies between tasks on diff. targets/hosts

� Definer’s rights jobs with new ‘Execute’ privilege

� New job tasks (e.g. iAS jobs)

� User-defined target properties as job parameters

� “Abort” job

� Enhanced scheduling– Business calendars, run job on machine idle time, run on event, etc

� Enhanced load-balancing for jobs running in clusters/groups

� Job SDK

Configuration ManagementPolicy Management

� Complete inventory of all Oracle software

– Versions– Patch levels

� Configuration details for all Oracle products

� Related software and hardware configuration details

“How many instances need to have a given patch applied? –Is my O/S at the right patch level?”

� Tracking changes� Comparing and

validating configurations� Searching across

enterprise� Understanding product

and feature usage

“When things stop working, the first thing we do is try to figure out what has changed”

–CalISO DBA

� Reduce manual labor in software life-cycle– From hours to minutes

� Automate mass provisioning of reference systems� Intelligent Cloning makes context-specific adjustments

– DB: home, host name, listener– iAS: IP address, host name, web listener

UpdateInventory

Clone to Selected Targets

2

3

Select Software (and Instances) to Clone1

“Our administrators spend about 25% of their time on installs andcloning”

-Verizon Information Services DBA

� Cloning an Entire Database– RMAN-based– Clone Library– Online (w/ Archivelog

mode)– Scheduled as EM

Job� Data+Schema Cloning

– DBLINK-based– Schema and data (sub-

set) cloning– Version and platform

independent Cloning Wizard

� Real-time discovery of new patches � Security patch rapid deployment dramatically reduces

vulnerabilities� Automated staging and application

– From hours to minutes

UpdateInventory

DetermineApplicability

2

Apply Patch3

4Patch Published1

Slammer virus exploited known security flaw to which patch was available 6 months prior to attack

� Automatic tracking by EM of critical bug advisories on MetaLink

� Daily inspection of all installations and flagging of “violators”

� In-context launch of patch wizard to deploy and apply appropriate patches

� Out-of-box policy definition� Identify security

vulnerabilities� Missing patches� Access vulnerabilities� Open ports

� Configuration best practices� Search enterprise for policy

violations� Standardize across systems

Policy

All Oracle Software1. Security alerts2. Critical patches

Host1. Detect open ports2. Detect insecure services

Application Server1. HTTPD has minimal privileges2. Use HTTP/S3. Apache logging should be on4. Demo applications disabled5. Disable default banner page6. Disable access to unused directories7. Disable directory indexing8. Forbid access to certain packages9. Disable packages not used by DAD owner10. Remove unused DAD configurations11. Redirect _pages directory12. Password complexity enabled13. Use HTTP/S

Database Services1. Enable listener logging2. Password-protect listeners3. Disable direct listener administration4. Disallow remote OS roles and authentication5. Disallow use of remote password file6. Restrict access to external procedure service

Database User Privileges1. Disable install and demo accounts2. Disallow default user/password3. PUBLIC has execute System privilege4. PUBLIC has execute Object privilege5. PUBLIC has execute UTL_FILE privilege6. PUBLIC has execute UTL_SMTP privilege7. PUBLIC has execute UTL_HTTP privilege8. PUBLIC has execute UTL_TCP privilege9. PUBLIC has execute DBMS_RANDOM10. Password complexity11. Restrict number of failed login attempts12. Authentication protocol fallback13. Connect and Resource grants

1. Insufficient Number of Control Files

2. Insufficient Redo Log Size

3. Insufficient Number of Redo Logs

4. Use of Unlimited Autoextension

5. Use of Non-Standard Init. Parameters

6. Recovery Area Location Not Set

7. Autobackup of Control File is not Enabled

8. SYSTEM TS Used as User Default TS

9. Segment with Extent Growth Policy Violation

10.Tablespace Containing Mixed Segment Types

11. Not Using Locally Managed Tablespaces

12. SYSTEM TS Contains Non-System Data Seg

13. Users with Permanent TS as Temporary TS

14. Insufficient Recovery Area Size

15. Force Logging Disabled

16. Not Using Spfile

17. Rollback in SYSTEM Tablespace

18. Not Using Undo Space Management

19. Non-uniform Default Extent Size

YesYesPolicy Management

YesNot AvailableSearching

YesYes within same hostCloning

YesNot applicable as there’s only one host and one DB

Host and DB Comparison

YesYesPatching

YesYesCritical Patch Advisory

YesInherently only one deployment, thus not applicable

Deployments Summary

Grid ControlDB Control

Application Service Level Management

Model End-User Communities

Web Application

Availability and Performance may vary from location to location

Approach

� Business transaction monitoring– Preempt problems with proactive monitoring

� Monitoring of real end-user experience � Complemented by traditional EM system

monitoring