Set Up Access to Storage Servers
You must perform certain tasks to set up access to the storage servers that you want to monitor using Database Management.
The following tasks must be performed before adding a connection to the storage server during the Exadata Infrastructure discovery process because the storage server user credentials and the SSL certificate imported to the Management Agent truststore are tested against the storage server. The connection to the storage server from the Management Agent can be added only after a test query is sent from the Management Agent to the storage server.
-
Ensure the availability of an ExaCLI user to access and monitor the storage servers
-
Ensure the availability of the storage server's SSL certificate in the Management Agent truststore
Ensure the availability of an ExaCLI user to access and monitor the storage servers
The Management Agent used to connect to the storage servers requires ExaCLI credentials to collect metrics through the storage server's REST endpoint.
Recommended option: It's recommended that you use the
out-of-the-box cellmonitor
user.
Secondary option: You also have the option of creating a new
ExaCLI administrative user. If you choose to create a new ExaCLI administrative
user, then the new user must be created in all storage servers. Also, the new user
must have list
privileges on all objects. For example:
> ssh root@<storage server>
> cellcli
CellCLI> CREATE ROLE monitor
CellCLI> GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor
CellCLI> CREATE USER mycellmon password=*
CellCLI> GRANT ROLE monitor TO USER mycellmon
To create a new ExaCLI user across multiple storage servers using the
dcli
utility:
dcli -l <OS User> -c <storage_server_1>,<storage_server_2>,... "cellcli -e CREATE ROLE monitor; cellcli -e GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor; cellcli -e CREATE USER mycellmon password=*; cellcli -e GRANT ROLE monitor TO USER mycellmon"
For information on how to:
- Create a new ExaCLI administrative user, see Creating Users for Use with ExaCLI in Oracle Exadata Database Machine Maintenance Guide.
- Use CellCLI utility, see Using the CellCLI Utility in Oracle Exadata Database Machine User's Guide.
- Use
dcli
utility, see Using the dcli Utility in Oracle Exadata Database Machine User's Guide.
Ensure the availability of the storage server's SSL certificate in the Management Agent truststore
The SSL certificates are required to confirm the identity of the storage
servers in the Exadata Infrastructure to the Management Agent. The communication
between the storage servers and the Management Agent uses HTTPS
and
requires the storage server's SSL certificates in the Management Agent's truststore.
Before you import the storage server's SSL certificate to the Management Agent's truststore, it's recommended that you test the SSL certificate against the storage server REST endpoint in the agent host:
curl -u [cellmonitorUserName:cellmonitoruserpassword] --cacert [certificate file] 'https://[storage_server_name]:[port]/MS/RESTService/?cmd=list+cell'
For example:
curl -u monitor_user1:monitor_password --cacert ./my_storage_server.pem 'https://my_storage_server:443/MS/RESTService/?cmd=list+cell'
To import the storage server's SSL certificate to the Management Agent's truststore:
- Obtain the storage server's SSL certificate. To download the certificate from
the storage
server:
echo | openssl s_client -showcerts -servername [storage_server_name] -connect [storage_server_name:port] 2>/dev/null | openssl x509 -out storage_server_certificate.pem
- Add the storage server's SSL certificate to a truststore on the Management Agent
node. If you already have a truststore created on the Management Agent node,
then you can reuse it. To create a new truststore or to add the SSL certificate
to an existing
truststore:
keytool -importcert -alias [storage_server_name] -file [path_to_storage_server_certificate.pem] -trustcacerts -keystore /path/to/truststore -storetype JKS
When adding a connection to monitor the storage server using Database Management, you must provide the truststore file location. For information, see Add Connections to Storage Servers.
Note that if you're using custom SSL certificates with a common domain name for all storage servers, where all storage servers are using the same certificate, then you only need to import that certificate once into the truststore (if using the same Management Agent to monitor multiple storage servers).