Introduction:
We can use OCI Performance Hub to analyze and tune the performance of Oracle Cloud Infrastructure Shared and Dedicated Autonomous Databases, Virtual Machine, Bare Metal, Oracle Exadata Cloud Service, and external Oracle databases.
In this blog, we will view the steps to enable monitoring in Oracle Exadata Cloud Service (ExaCS).
High level steps and Prerequisites
1. Assign OCI user group required permissions to Enable Database Management
2. Assign dbsnmp user with required permissions for the target database
3. Add secret in OCI Vault service with dbsnmp user password
4. Add NSG to enable communication between Database Management and the Oracle Cloud Database
5. Add Private endpoint to enable connectivity between Database management and ExaCS VMs
6. Verify the Exadata monitoring and metrics
Detailes Steps:
1.Make sure OCI user group has the required permissions.
Database Management Permissions
Here are examples of the policies to grant the DB-MGMT-ADMIN user group permission to create a Database Management private endpoint and monitor the work requests associated with the private endpoint:
Read More: 1Z0-750: Oracle Application Express 18: Developing Web Applications
Allow group DB-MGMT-ADMIN to manage dbmgmt-private-endpoints in tenancy
Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy
Alternatively, a single policy using the Database Management aggregate resource-type grants the DB-MGMT-ADMIN user group the same permissions detailed in the preceding paragraph:
Allow group DB-MGMT-ADMIN to manage dbmgmt-family in tenancy
Exadata Cloud service permission
Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Database Management for the Oracle Cloud Databases in the tenancy:
Allow group DB-MGMT-ADMIN to use database-family in tenancy
Networking service permissions
Here are examples of the individual policies that grant the DB-MGMT-ADMIN user group the required permissions:
Allow group DB-MGMT-ADMIN to manage vnics in tenancy
Allow group DB-MGMT-ADMIN to use subnets in tenancy
Allow group DB-MGMT-ADMIN to use network-security-groups in tenancy
or
Allow group DB-MGMT-ADMIN to use security-lists in tenancy
Alternatively, a single policy using the Networking service aggregate resource-type grants the DB-MGMT-ADMIN user group the same permissions detailed in the preceding paragraph:
Allow group DB-MGMT-ADMIN to manage virtual-network-family in tenancy
Vault service permissions
Here's an example of the policy that grants the DB-MGMT-ADMIN user group the permission to create and use secrets in the tenancy:
Allow group DB-MGMT-ADMIN to manage secret-family in tenancy
In addition to the user group policy for the Vault service, the following service policy is required to grant Database Management (dpd) the permission to read database password secrets in a specific vault:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
2. Grant dbsnmp user the required privileges and set password as per complaint.
a) Grant privileges:
GRANT CREATE PROCEDURE TO dbsnmp;
GRANT SELECT ANY DICTIONARY, SELECT_CATALOG_ROLE TO dbsnmp;
GRANT ALTER SYSTEM TO dbsnmp;
GRANT ADVISOR TO dbsnmp;
GRANT EXECUTE ON DBMS_WORKLOAD_REPOSITORY TO dbsnmp;
b) Set password for compliance:
The database user password checks in Database Management require the password to be Federal Information Processing Standards (FIPS) compliant:
◉ Password length must be between 14 to 127 characters.
◉ Password must have at least two lowercase, two uppercase, two digits, and two special characters.
SQL> alter user dbsnmp account unlock;
User altered.
SQL> alter user dbsnmp identified by "<password>";
User altered.
3. Create Secret in OCI Vault service for above dbsnmp user.
Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service is a managed service that enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources.
Note that if you change the database user password, you must also update the secret with the new password by creating a new version of the secret and updating the contents.
Create Vault
Open the navigation menu, click Identity & Security, and then click Vault.
Under List Scope, in the Compartment list, click the name of the compartment where you want to create the vault.
Click Create Vault.
In the Create Vault dialog box, click Name, and then enter a display name for the vault.
Create key
Open the navigation menu, click Identity & Security, and then click Vault.
Under List Scope, in the Compartment list, click the name of the compartment where you want to create the key.
From the list of vaults in the compartment,
- Click the name of the vault where you want to create the key.
Click Master Encryption Keys, and then click Create Key.
In the Create Key dialog box, choose a compartment from the Create in Compartment list.
Click Protection Mode, and then do one of the following:
- To create a master encryption key that is stored and processed on a hardware security module (HSM), choose HSM.
- To create a master encryption key that is stored and processed on a server, choose Software.
You cannot change a key's protection mode after you create it.
Click Name, and then enter a name to identify the key
Create Secret
Open the navigation menu, click Identity & Security, and then click Vault.
Under List Scope, in the Compartment list, click the name of the compartment where you want to create a secret.
From the list of vaults in the compartment,
- Click the name of the vault where you want to create a secret.
4. Click Secrets, and then click Create Secret.
5. In the Create Secret dialog box, choose a compartment from the Create in Compartment list.
6. Click Name, and then enter a name to identify the secret.
7. Click Description, and then enter a brief description of the secret to help identify it.
8. Choose the master encryption key that you want to use to encrypt the secret contents while they're imported to the vault. (The key must belong to the same vault. The key must also be a symmetric key. You cannot encrypt secrets with asymmetric keys.)
9. Specify the format of the secret contents you're providing by choosing a template type from the Secret Type Template list.
10. Click Secret Contents, and then enter the secret contents – dbsnmp password.
4. NSG to enable communication between Database Management and the Oracle Cloud Database
You must add ingress and egress security rules to Network Security Groups (NSGs) or Security Lists in the Oracle Cloud Database's VCN to allow communication between the Database Management private endpoint and the Oracle Cloud Database.
- Ingress rule for the ExaCS VM Cluster Subnet: The ExaCS VM Cluster Subnet (on port 1521) can receive incoming traffic from the Database Management private endpoint's subnet from any port.
- Egress rule for the Database Management private endpoint: The Database Management private endpoint's subnet (from any port) can send requests to the ExaCS VM Cluster Subnet on port 1521.
Assign/add the NSG to ExaCS VM Cluster – Client Network Security Groups.
5. Create a Database Management private endpoint
A Database Management private endpoint is required to enable communication between Database Management and the Oracle Cloud Database in a VCN. The Database Management private endpoint is its network point of presence in the VCN in which the Oracle Cloud Database can be accessed.
To create a Database Management private endpoint:
1. Open the navigation menu, click Observability & Management. Under Database Management, click Administration.
2. On the left pane on the Administration page, click Private Endpoint and select the compartment in which you want to create the private endpoint.
3. On the Private Endpoints page, click Create Private Endpoint.
4. In the Create Private Endpoint dialog:
1. Name: Enter a name for the private endpoint.
2. Description: Optionally, enter a description for the private endpoint.
3. Choose Compartment: Select the compartment in which you want the private endpoint to reside.
4. Use this private endpoint for RAC databases: Select this check box. The Database Management private endpoint for RAC Oracle Cloud Databases is a limited resource and you can create only one such private endpoint in your tenancy.
5. Virtual Cloud Network in <Compartment>: Select the VCN in which the Oracle Cloud Database can be accessed.
6. Subnet in <Compartment>: Select a subnet within the selected VCN. Note that the subnet can be in a different compartment than the VCN, however, it must have access to the database subnet in the VCN.
7. Network Security Group: select an NSG added to the Exadata VM cluster.
6. Enable Database management
Go to the target database details page.
Under Associated Services, Database Management Click Enable.
In the Enable Database Management dialog:
Specify the following details:
Note: Database Type, VM Cluster, Database Home, Database - details are preselected and read-only.
1. Service Name: The unique service name in the Database_Name.Host_Domain_Name format (can be found in target DB - tnsnames.ora service_name field in DB server)
Specify the database credentials for the connection to the selected Oracle Cloud Database.
2. Database User Name: Enter the database user name – dbsnmp.
3. Use existing secret: Select the radio button to use an existing Oracle Cloud Infrastructure Vault service secret that contains the database user password.
4. Database User Password Secret in <Compartment>: Select the secret that contains the database user password from the drop-down list.
1. Private Endpoint in <Compartment>: Select the private endpoint that will act as a representation of Database Management in the VCN in which the Oracle Cloud Database can be accessed.
2. Management Options: Select Full management option.
3. Click Enable Database Management.
A confirmation message with a link to the Oracle Cloud Database's Work Requests page is displayed. Click the link to monitor the progress of the work request.
7. Verify
You can verify if Database Management is successfully enabled on the following pages:
◉ Database Details page of the Database: Select Metrics on the left pane under Resources and check if the database metrics are displayed.
◉ Database Details page of the Database: Click Performance Hub tab, then click Exadata tab, you will see screen as below.
◉ Click Exadata Details from the same above page to get more metrics as below screen shot.
Note: This Exadata monitoring comes with Database Full Management option which is additional cost option.
Source: oracle.com
Posts
0 comments:
Post a Comment