RE: oem 13.2 patching

Unfortunately there is a LOT more than that.

Please review note 1664074.1, “Applying Enterprise Manager Recommended Patches” for a full overview of everything there is to get done, and recommendations on the order to apply them. This note was last updated in February 2018 so the patch numbers in it will not be up to date and you’ll need to dig around to identify the current patches (or run my script that I link to below).

Generally, these are the elements I keep patched for EM13c R2:

-Repository database with latest proactive patch bundle, OCW security patch, JavaVM patch, and APEX patch
-Same DB patches for any AWR warehouse database used by EM
-Maintain correct/current/required versions of OPatch and OMSPatcher on all OMS instances, and updated OPatch on all agents
-Maintain up-to-date Java 1.7 versions in the middleware home and on agents (1.7.0_171 works for me, tried 1.7.0_201 this morning and had problems)
-Update agent-side plugins via self-update when new releases available
-OMS side plugin patching for 13.2.1 plugins, 13.2.2 plugins, 13.2.3 plugins (current patches 27523593, 28628403, 28628415, respectively – apply all three)
-WLS in middleware home with quarterly PSU patches and other required security patches (toplink=24327938, OSS=26591558)
-Current agent bundle patch on all agents (latest 28533438)
-Agent-side plugin bundle patches for all DISCOVERY plugins installed on all agents
-Agent-side plugin bundle patches for all MONITORING plugins installed on all agents

It’s a ton to deal with. I do not know what OS you run, but I have a bash script that works on Linux, Solaris, and AIX, to evaluate your OMS and the agent on the OMS server to identify all currently needed patches. You can download it from: https://raw.githubusercontent.com/brianpardy/em13c/master/checksec13R2.sh and just run it as the user account that runs your OMS stack. It also includes checks on security setup on the repository database like SQL*Net encryption parameters, checksum algorithms and encryption algorithms, and will also check for default/self-signed certificates on your OMS/agents, and makes sure that SSLv3/TLSv1.0/TLSv1.1 and LOW or MEDIUM strength ciphersuites are disabled on all of your OMS/WLS components. I don’t think this will work on Windows hosts (needs bash, awk, grep, openssl).

If you configure an EM admin account for it to use along with all the necessary saved/preferred credentials, then login to EMCLI with that account before running my script, it will also use EM jobs to check all of your agents to make sure they have the correct versions of OPatch, plugin bundle patches, Java, and so on. I have a script to simplify creating that account on my github too. I have a big blog post that describes both of these scripts: https://pardydba.wordpress.com/2016/10/28/securing-oracle-enterprise-manager-13cr2/

Apologies for the self-promotion!

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Andrew Kerber Sent: Thursday, October 18, 2018 12:07 PM To: ORACLE-L <oracle-l_at_freelists.org> Subject: oem 13.2 patching

I am trying to understand the oracle patch document for oracle OEM cloud control 13c. Its a plain vanilla install, with just the standard agents and plug ins. We have never patched it. Reading through the document for Oct, can someone with experience please verify my understanding. I am confident I understand the database patching, but the cloud control patching isn't so clear to me.

As I read the document, I need to install these patches for cloud control, in addition to the db patches.:

28717501<https://support.oracle.com/epmos/faces/ui/patch/PatchDetail.jspx?parent=DOCUMENT&sourceId=2433477.1&patchId=28717501> for oms base platform oms home 28195767 for agent homes

Can someone with a little more experience on Cloud control patching please verify that?

--

Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'
--

http://www.freelists.org/webpage/oracle-l Received on Thu Oct 18 2018 - 18:40:11 CEST