Re: AWS EC2 OEM support

From: Ls Cheng <exriscer_at_gmail.com>
Date: Fri, 6 Jul 2018 11:46:46 +0200
Message-ID: <CAJ2-Qb_TK=jLhCo50OyyPiXWsFN9ch27zwCohN0_BTLKUsnK1A_at_mail.gmail.com>

Hi Pete

Just wondering, why a proxy server
<https://docs.oracle.com/cd/E73210_01/EMADV/GUID-E00C6B3B-D5E2-4E2F-9F94-8A136E3D696E.htm#EMADV636> is requiered (or it is optional?) when there is FW? Isnt it enoguh just open the ports?

Thanks

On Fri, Jul 6, 2018 at 12:27 AM, Pete Sharman <peter.sharman_at_westnet.com.au> wrote:

> I don’t even remember writing the post that Dave mentioned in his
> original email, but it sounds like it got sorted out while I was still
> asleep anyway. 😊
>
>
>
> Firewalls are a PITA for EM. I never had to worry about them with the
> stuff I did at Oracle, but I’ve been going backwards and forwards
> multiple times with a client recently with the same problem Dave seems to
> have. I can see why the doc says set it up without firewall rules then add
> the rules afterwards!
>
>
>
> BTW Niall, that support note DOES also point direct to the doc where this
> stuff is covered - https://docs.oracle.com/cd/
> E73210_01/EMADV/GUID-E00C6B3B-D5E2-4E2F-9F94-8A136E3D696E.htm#EMADV632.
> 😊
>
>
>
> Pete
>
>
>
> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> *On
> Behalf Of *Dave Herring
> *Sent:* Friday, July 6, 2018 05:21 AM
> *To:* Niall Litchfield <niall.litchfield_at_gmail.com>
> *Cc:* ORACLE-L <oracle-l_at_freelists.org>
> *Subject:* Re: AWS EC2 OEM support
>
>
>
> Yeah, I made the mistake of trusting the FW team when they said they
> properly implemented by FW requests. I just checked from our OEM server
> that port 3872 and in some cases 1521 are still blocked. I'm currently
> checking 4903 from the AWS back to OEM. Unfortunately FW rules are only
> pushed Tues and Thurs, even if they made a mistake on something that
> already passed.
>
>
>
> In the meantime, is it safe to say that outside of adding my public SSH
> key to the OEM server's $HOME/.ssh/authorized_keys file, then using a Named
> Credential with a credential type of "SSH Key Credentials" should work? I
> followed youtube vid "Oracle Enterprise Manager 12c: Create SSH Key Named
> Credentials " which isn't directly for AWS EC2 but ideally should work.
>
>
>
> Dave
>
>
>
> On Thu, Jul 5, 2018 at 12:36 PM, <niall.litchfield_at_gmail.com> wrote:
>
> I'd imagine that your firewall rules (either virtual or physical or both)
> will require connectivity between your on-premises OEM and the off-premises
> EC2 instances on the relevant ports. These are documented in the
> surprisingly hard to find Note https://support.oracle.com/epmos/faces/
> DocumentDisplay?id=2362242.1 2362242.1. If you have internal firewalls
> this is probably old hat, but if you don't it's the most likely reason that
> ssh succeeds but monitoring doesn't. You'll also need name resolution to be
> consistent.
>
>
>
> On Thu, Jul 5, 2018 at 5:45 PM Dave Herring <gdherri_at_gmail.com> wrote:
>
> Folks,
>
>
>
> (I've been given the task of setting up monitoring for a number of Oracle
> databases on AWS EC2 and unfortunately given little to no guidance, so I
> apologize upfront if my question seems rather basic.)
>
>
>
> Has anyone set up management agents on AWS EC2 environments to monitor
> from an OEM outside of AWS? We did something similar in the past for RDS
> environments but I was hoping we wouldn't have to rely on the OEM AWS
> plugin, which only provides a rather limited subset of functionality of OEM
> for the envs.
>
>
>
> Since we have SSH key pairs set up to reach the AWS servers, my assumption
> was I could perform agent installations from OEM (which resides outside of
> AWS), using pre-defined Named Credentials that use SSH key pairs.
> Unfortunately it seems the connection can't be made that way through OEM,
> although I did prove I COULD connect at the OS level using the same method.
>
>
>
> I did find a post by Pete Sharman from 5/2016 saying that under OEM 13c
> we'd need to have an Amazon VPC configured and only then could a typical,
> OEM to agent monitoring configuration and that the only other option is to
> use the AWS plugin. But, that's just over 1yr old and I wasn't sure if
> anything has changed since then.
>
>
>
> Thx.
>
>
> --
>
> Dave
>
>
>
>
> --
>
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
>
>
>
>
> --
>
> Dave
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jul 06 2018 - 11:46:46 CEST

This message: [ Message body ]
Next message: Dave Herring: "Re: AWS EC2 OEM support"
In reply to Pete Sharman: "RE: AWS EC2 OEM support"
Next in thread: Dave Herring: "Re: AWS EC2 OEM support"
Reply: Dave Herring: "Re: AWS EC2 OEM support"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message