Configuring OEM 13c for Oracle Firewall

Edward Whalen
Performance Tuning Corporation
Publication Date: 09/05/2018

Introduction
Oracle Enterprise Manager Cloud Control 13c is the best way to monitor and manage your Enterprise. A
critical part of your enterprise is the Firewall server. Because of the enhanced security on the Firewall
server it can be a little tricky to install the Cloud Control agent. This paper will assist with that process.

There are several steps that must be completed on the Firewall console and the Firewall server in order
to allow the OEM agent to be installed.

Configuring the Firewall Server

There are a few pre-requisites that need to be done in the Firewall console before getting started with
the OEM agent installation.

Setup the Network

On the Firewall Console

Change the Firewall server to use a fully qualified hostname. This should include both a hostname and a
domain name such as fw01.perftuning.com. This is done through the network configuration screen on
the Firewall console. If necessary, it will require a reboot.

Enable SSH connectivity. This is done through the services configuration screen. Select All for SSH
access.

Log on the Firewall server as root and update the network. This is done by logging into the Audit Vault
server as support and using su to switch to root (su -).

Edit the /usr/local/dbfw/templates/template-hosts file and add an entry for your OEM 13c server
172.17.50.7 cc02.perftuning.com cc02

Edit the /usr/local/dbfw/templates/template-iptables file and add the following lines to open port 3872
and 1521.
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW --dport 3872 -j
ACCEPT-A RH-Firewall-1-INPUT -i <%= @management_device %> -p tcp -m
state --state NEW --dport 1521 -j ACCEPT

Edit the /usr/local/dbfw/templates/template-listener.ora file and add the following line just below the
local host line
(ADDRESS = (PROTOCOL = TCP)(HOST = <FW IP Address>)(PORT = 1521))

Configuring OEM 13c for Database Firewall Page 1 of 22

Update the Firewall server network by running the following:
/usr/local/dbfw/bin/priv/configure-networking

Validation can be done with: iptables -L -vn

Edit /etc/ssh/sshd_config to allow access as oracle and root.

Change the line

AllowUsers support
To
AllowUsers support oracle

Restart sshd
$ service sshd restart

Note: To permanently change sshd access for oracle you must change the template. However, since we
only need it to install the agent it should be fine to do it manually. It is recommended that this change
be removed after the host agent installation has completed.’

Set the oracle user password using the passwd command:

$ passwd oracle

Now you are ready to prepare for the agent installation.

Prepare Oracle User for the Agent Installation

Log on the Firewall server as oracle to prepare for the agent installation.

Edit $HOME/.bashrc and add an -s after the oraenv command.

./usr/local/bin/oraenv -s

This will prepare the Oracle user for the agent installation.

Unlock dbsnmp Account

On the Firewall server as oracle (su – oracle)
sqlplus /
alter user dbsnmp identified by <password> account unlock;

At this point you are ready to deploy the agent from the cloud control console.

Configuring OEM 13c for Database Firewall Page 2 of 22

Installing the Agent
Installing the Oracle Enterprise Manager Cloud Control 13c agent is done via a push method from the
OEM console. From the Setup dropdown select Add Target | Add Target Manually. From the Add
Targets Manually screen select Install Agent on Host.

This brings up the Add Host Targets: Host and Platform screen. Click the +Add button and fill in the host
name and Platform.

Configuring OEM 13c for Database Firewall Page 3 of 22

Click Next when completed to proceed to the Add Host Targets: Installation Details screen.

Fill in the Installation Base Directory as /var/lib/oracle/agent13c. The Instance directory will be auto-
populated from the base.

Create a named credential for the oracle user on the Firewall server. This is done by clicking the +
button next to Named Credential. Fill in the UserName and Password and give it a descriptive name and
click the OK button.

Configuring OEM 13c for Database Firewall Page 4 of 22

Leave the root credential blank. For security reasons you will run the root.sh script manually after the
installation.

Click next when you have completed the above steps and proceed to the Add Hosts Targets: Review
screen.

Configuring OEM 13c for Database Firewall Page 5 of 22

Click Deploy Agent when you are ready. You can watch the status of the installation from here.

Configuring OEM 13c for Database Firewall Page 6 of 22

During the installation phase you will get an error about sudo not being setup with visiblepw. Click the
Continue All Hosts dropdown from the Continue button. This method will allow the agent to be
installed without sudo or root access. You will run root.sh manually after the installation.

Configuring OEM 13c for Database Firewall Page 7 of 22

Upon completion you will see that root.sh was not run.

On the Firewall Server as root cd to /var/lib/oracle/agent13c/agent_13.2.0.0.0 and run root.sh

[root@fw01 agent_13.2.0.0.0]# ./root.sh
Finished product-specific root actions.
/etc exist

Creating /etc/oragchomelist file...

You should now see the Firewall server in the Hosts monitor of OEM 13c.

Configuring OEM 13c for Database Firewall Page 8 of 22

Click Save. Proceed back to the Add Targets Manually screen and click on Add Using Guided Process.
Select Oracle Database, Listener and Automatic Storage Management. Select the firewall server.

Click Next to proceed.

Configuring OEM 13c for Database Firewall Page 9 of 22

Click Add. Select the firewall server and Auto Discover. It should discover the database and ASM
instances.

Configuring OEM 13c for Database Firewall Page 10 of 22

The auto discovery process will show what it has discovered for the Firewall server.

Configuring OEM 13c for Database Firewall Page 11 of 22

In the database section click Configure. Change the Preferred Connect String to;
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<IP Address>)
(PORT=1521))(CONNECT_DATA= (SERVICE_NAME=dbfwdb)))

Set the protocol to TCP and the port to 1521.

Note: If you are monitoring other security products I highly recommend that you change the target
name. Key Vault, Firewall and Audit Vault all have the database named dvfwdb and it is not sufficiently
descriptive in the database targets.

Configuring OEM 13c for Database Firewall Page 12 of 22

Click Save and set the Monitor Password and test the connection. Once you are satisfied click next.
Review the Database Discovery and click Save. The target will be saved and promoted.

You should now see the Firewall database in the Databases target screen.

Configuring OEM 13c for Database Firewall Page 13 of 22

Add AVFW Components to OEM 13c
From the Setup dropdown select Extensibility | Plug-ins. Select Oracle Audit Vault and Oracle Database
Firewall under Servers, Storage and Network. Select Deploy on Management Agent from the Deploy On
dropdown.

Configuring OEM 13c for Database Firewall Page 14 of 22

From the Deploy Plug-in on Management Agent screen click Continue.

Configuring OEM 13c for Database Firewall Page 15 of 22

Select the firewall server and click Next.

Validate and click Deploy.

Configuring OEM 13c for Database Firewall Page 16 of 22

Wait for the agent deployment to proceed. When it is completed select Add Target | Configure Auto
Discovery from the Setup dropdown menu.

Configuring OEM 13c for Database Firewall Page 17 of 22

Select the firewall server and click the Discovery Modules button.

Configuring OEM 13c for Database Firewall Page 18 of 22

Check the box next to Discover Audit Vault and Database Firewall Entities then click Ok. Highlight the
Firewall Server and click Discover Now. After a short time, it will return to the Discover Modules screen.

Select Add Target | Auto Discovery Results from the Setup dropdown menu.

Configuring OEM 13c for Database Firewall Page 19 of 22

Highlight Database Firewall entry and click promote. From the Promote Discovered Target screen enter
the following values:

Username: admin
Password: <password>
Preferred Connection String: Should point to the Audit Vault database.
(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)
(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=on)
(ADDRESS=(PROTOCOL=TCP)(HOST=<IP>)(PORT=1521)))
(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)))

You can find this connect string by going to the Settings tab in the Audit Vault server web interface and
clicking on Status (in the SYSTEM section). The connect string is shown there.

Configuring OEM 13c for Database Firewall Page 20 of 22

Click Promote.

Once you have promoted the AV Server you can then go to All Targets and find the Firewall Server and
view the Firewall monitor. This monitor provides an awesome view of the Firewall server.

Configuring OEM 13c for Database Firewall Page 21 of 22

Cleanup
If you haven’t already done it, remove the entry for the oracle user in the /etc/ssh/sshd_config file. This
will restore additional security to the Firewall server.

Summary
It is important to monitor the critical systems in your Enterprise. Included in these systems is the Audit
Vault and Firewall servers. Because of the enhanced security of the Firewall appliance there are a few
additional considerations that have been covered in this paper. Once you have followed these steps and
setup the Firewall for OEM monitoring you will be able to watch not only the servers but the
components of the Firewall as well.

Acknowledgements
Thanks to Russ Lowenthal and George Csaba of Oracle for their help with the technical details.

Configuring OEM 13c for Database Firewall Page 22 of 22