Configuring ASR Manager on Oracle ODA version 12.1.2.9.0 (SNMP v3 Security)

Share on:

Oracle Auto Service Request is a warranty service offered under the bundled Oracle Premier Support for hardware support. This enables you to lean back and let Oracle take care of your repair requests and system part replacement needs of your ODA at no extra cost or headache. It centrally accepts hardware telemetry data sent from a group of ASR Assets. The ASR Manager then filters the incoming data and forwards potential fault telemetry to Oracle Backend systems. Music to your ears? Yes, but ASR does not come pre-installed and ready to go. Instead you need to install and configure the ASR Manager and Assets to enable this great Oracle feature.

The ASR Manager is always installed first, followed by ASR Assets. You have the option to install more than one instance of an ASR Manager. The reasons to do this may be to support a large amount of ASR Assets and/or for organisational reasons, such as grouping ASR Assets by data centre, etc., as needed.

The ASR Manager system itself can be installed as an ASR Asset. This way, the ASR Manager system can report its own hardware telemetry, as does an ASR Asset.

 

ASR Manager is supported on the following versions of Linux:

  • Oracle Linux 5.3 or later
  • Red Hat Enterprise Linux 6.3 or later

Run the following command as root user on the ODA node of choice to check the ASR version and OS version for compatibility:

oakcli show version -detail

 

In this case the Oracle Linux version (OL) is 6.8 which falls into the compatibility category.

 

Installing ASR Manager Software

Java Version

ASR Manager systems require Oracle Java 7 – JDK 7 (JDK 1.7.0_13) or later JDK 7 updates or Oracle Java 8 (1.8.0_25 or later).

 

You can download the latest version from the Java SE Downloads page:

http://www.oracle.com/technetwork/java/javase/downloads/

To check your version of Java, run the following from the ASR MANAGER ODA node:

 java -version

Downloading Installation File

Download latest ASR version from My Oracle Support (Doc ID 1185493.1) and copy to the ASR Manager server node of choice

After logging into your My Oracle Support account, click on (Patches & Updates), then scroll down to Patch Search and enter Patch number 26612524 to search for the ASR Manager latest update to download (as shown in the screen shot below):

Select the version corresponding to your operating system, which in our case is  (Linux x86-64):

Then download the corresponding file and copy to your ASR Manager server:

 

Verifying Your Network Connection

The ASR Manager system must have an internet connection – either a direct connection or through a proxy.

You must decide on one node of your ODA to serve as the ASR Manager node. Check and make note of the ASR Manager IP address. To obtain the IP address, run the following command(s) from the ASR Manager SERVER/ Node of choice:

# ifconfig -a
 # more /etc/hosts

Installation

Verifying My Oracle Support Requirements

You will need a valid MOS login name to install the ASR software components. Use your MOS account to validate key information about the systems targeted for ASR installation (for example, serial numbers).

Open a terminal window and make sure you are logged in to the ASR Manager Server node of choice as root. From the directory where you copied the zipped installation file to, unzip the ASR package as follows:

Then we will need to unpack the ASR package with the following command:

rpm -i <asrmanager-version_num-time_stamp>.rpm

 

As the installation progresses, you are prompted to make several selections.

Set ASR in the root environment file

To avoid the need to type the full path name for the ASR Manager asr command, you can apply the following option:

Add the asr command to the PATH environment variable. This update would be made to the root user’s .profile, .cshrc, .kshrc, or .bashrc files as needed  as follows:

 

export PATH=$PATH:/opt/asrmanager/bin

Create a symbolic link to the asr command in the /usr/bin directory:

ln -s /opt/asrmanager/bin/asr /usr/bin



Registering the ASR Manager

Log in to the ASR console:

If you have not set your PATH environment variable, run:

# /opt/asrmanager/bin/asr

If you have set your PATH environment variable, run:

# asr

To register the ASR Manager:

asr> register



Select the default “destination transport server” by hitting the enter key.

If you do not use a proxy server, then hit enter to move on to the next prompt.

 

Enter your Oracle SSO credentials when prompted (Ensure that this account is an administrator account that will have the ability to approve your assets)

Upon entry of your MOS credentials, ASR will validate the login. Once validated, the registration is complete.

Check the registration status of ASR:

asr> show_reg_status



A message is displayed on the screen indicating whether ASR is registered with

the transport server.

To be sure that ASR can send information to the transport server:

asr> test_connection

This command sends a test message (ping) to the transport server.

Upon successful results of the above commands, the registration of the ASR

Manager is complete.

Verifying Telemetry

ASR uses ILOM telemetry sources to detect fault events on Oracle Database Appliance hardware. ILOM provides fault information, power and environmental, and CPU and memory fault information from the service processor.

Configuring ASR Manager for SNMP v3

ASR Manager supports two SNMP v3 telemetry sources: ILOM 3.0.16 and later and M-Series XSCF

SNMP v3 provides security (encryption and authentication) for any communication between an ASR asset. To configure your designated ASR Manager to allow ASR assets to use SNMP v3 through ILOM or M-Series XSCF, you must create an SNMP v3 user:

ILOM Setup: SNMP v3 for ASR Assets

Check your configuration with the following command:

 # cat /opt/oracle/oak/onecmd/onecommand.params|grep ASR
 


Confirm ILOM

You can run the following from the asr manager node:

# cat /opt/oracle/oak/onecmd/onecommand.params|grep ILOM

Use ssh to the IP address of the ILOM network interface and log in as root:

ssh  root@IP_Address_of_ILOM_Interface

Run the following command:

 show /SP



The minimum version of ILOM that supports the AES privacy protocol for SNMP v3  is ILOM 3.0.16 and later.

Log in to the Oracle ILOM CLI.

To view the Oracle ILOM SNMP properties:

-> show /SP/services/snmp

Log in to the ILOM service processor as root and change to the snmp directory:

-> cd /SP/services/snmp

Run the following to check where engine id has been assigned a value:

-> show /SP/services/snmp engineid

Here, you will need to define an engineid for your ILOM node in case there is none in order for it to work with SNMPV3.  The value of engineid must be 25 characters or less.

We have decided to set an engine of “ECLODIL0”:

-> set /SP/services/snmp engineid=ECLODIL0                                                                              

-> show /SP/services/snmp engineid



Create an SNMP v3 user:

In this instance, we have decided to create an snmpv3 user named “snasr”

On the ILOM cli interface:

-> cd /SP/services/snmp/users

-> create snasr authenticationprotocol=SHA authenticationpassword=Ecloda12 privacyprotocol=AES privacypassword=Ecloda12

(length must be at least 8 characters, less than 13 for authentication password and exactly 8 for privacy password, and must consist of upper and lowercase letters and numbers only)

To confirm the created user, run the following:

-> show /SP/services/snmp/users/snasr



Ensure that all ILOMS are fitted with the same snmpv3 user and same alert rule configuration.

CREATION OF SNMPV3 USER ON ASR MANAGER

To configure your designated ASR Manager to allow ASR assets to use SNMP v3 through ILOM or M-Series XSCF, you must create an SNMP v3 user.  This user must have authentication exactly as created on the ILOMS earlier.

Run the following at the asr prompt:

asr> add_snmpv3_user -u snasr -e [ECLODIL0,ECLODIL1] -pp AES


The command above adds an asr user and includes the engine ids of the ILOMS that should be monitored via snmpv3.

After that, run the following commands to validate the user in ASR:

asr> show_snmpv3_user
asr> validate_snmpv3_user

Notes:

ASR Manager only supports the SHA protocol for authentication. It supports AES (ILOM) and DES (M-Series XSCF) for privacy and encryption.

The authentication password is case-sensitive and must contain 8 to 16 characters, with no colons or space characters. ASR Manager supports only two SNMP v3 users at this time.

 

Creating ILOM Test Alerts

From a web browser, access the IP address of the ILOM interface (note: https) and log in as root:
https://IP_Address_of_ILOM_Interface


From the menu, select Configuration, then select Alert Management.

The Alert Setting screen lists 15 possible Alert IDs that can be configured to send ILOM telemetry. Alert ID slots that are occupied by existing alert settings are shown along with their alert parameters. Choose an Alert ID that is not used by selecting the radio button next to the Alert ID number.

Note:
Unused Alert IDs are mainly indicated by the disable setting in the Level column and by all zeros in the Destination Summary column.

  • Select Edit from the Actions pull-down menu.
  • Enter data in this screen as follows:
  • Level: Select Minor from the pull-down menu.

 

  • Type: Select SNMP Trap from the pull-down menu.
  • IP Address: Enter the IP Address of the ASR Manager system.
  • Destination Port: Set to port 162. For ILOM versions 2.0.4.2 or lower, the port cannot be changed from the default (162).
    If you are using ILOM 3.0.16 or above and want to enable SNMP v3,
  • Select SNMP Version =V3
  • User Name: snasr (as created earlier on ILOM cli)
  • Click the Save button.
  • Repeat for each ASR asset required for ILOM telemetry.

 

To generate a test alert from ILOM:

From the ILOM GUI: In the Alert Settings page, select the alert you want to test and then click the Send Test Alert button. ILOM generates a test event for the selected alert. If configured properly, you will receive a test Service Request e-mail.

 

If you want to do this via the command line, from the ILOM CLI: Type the following command paths to set the working directory:

-> cd /SP/alertmgmt/rules

Type the following command to generate a test alert:

-> set testalert=true

show /SP/alertmgmt/rules/2
 /SP/alertmgmt/rules/2

    Targets:

    Properties:

        type = snmptrap

        level = minor

        destination = 10.15.10.52

        destination_port = 162

        community_or_username = public

        snmp_version = 3

        testrule = (Cannot show property)

    Commands:

        cd

        set

        show

set engineid=ECLODIL1

Verify that the test alert is received to the ASR Manager. Check for the test alert in the ASR Manager log file:

/var/opt/asrmanager/log

View of log:

 

If you don’t see any entry in the log representing the test alert on the ASR Manager Server then it is possible that the port 162 has been held by another service.

To search for who’s holding the SNMP port 162, “snmptrap”, use the following process on the asr manager server:

# lsof | grep UDP | grep “:snmptrap”

It’s usually another process called “snmptrapd”:

ps -ef | grep snmptrapd | grep -v grep

Fix this issue by doing the following:

# chkconfig snmptrapd off
# service snmptrapd stop

Login to the asr prompt and restart asr for the changes to take effect:

asr> restart

Connect back to the ILOM interface where the testing of the alert was taking place earlier and run the ff to continue the alert testing.

show /SP/alertmgmt/rules/2
/SP/alertmgmt/rules/2
    Targets:
    Properties:

        type = snmptrap

        level = minor

        destination = 10.15.10.52

        destination_port = 162

        community_or_username = public

        snmp_version = 3

        testrule = (Cannot show property)

    Commands:

        cd

        set

        show

set engineid=ECLODIL1

cd /SP/alertmgmt/rules

/SP/alertmgmt/rules

set testalert=true

Set '/X/alertmgmt/rules/testalert' to ‘true'

Repeat the above steps on all ILOMS you want monitored by the ASR Manager.

 

Activating ASR Assets

Open a terminal window and log in as root on the ASR Manager system.

Run the following activate command for each ASR asset. Be sure to use the IP or

host name of the ASR asset system.

asr> activate_asset -i [IP address]

or

asr> activate_asset -h [host name]

Example:

 

asr> activate_asset -i 172.23.2.155



ODAProdMgt1 : 1 service tags

Successfully submitted activation for the asset

Host Name: ECLProdMgt1

IP Address: 172.3.3.155

Serial Number: FIUKSHJ67BY7

The e-mail address associated with the registration id for this asset's ASR Manager will receive an e-mail highlighting the asset activation status and any additional instructions for completing activation.

Please use My Oracle Support http://support.oracle.com to complete the activation process.

The Oracle Auto Service Request documentation can be accessed on http://oracle.com/asr.


asr> activate_asset -i 172.23.2.200

odaprod0 : 2 service tags

Successfully submitted activation for the asset

Host Name: ECLprod0

IP Address: 172.23.2.200

Serial Number: BANKUDADE32
The e-mail address associated with the registration id for this asset's ASR Manager will receive an e-mail highlighting the asset activation status and any additional instructions for completing activation.

Please use My Oracle Support http://support.oracle.com to complete the activation process.

The Oracle Auto Service Request documentation can be accessed on http://oracle.com/asr.

asr> list_asset

IP_ADDRESS    HOST_NAME  SERIAL_NUMBER PARENT_SERIAL ASR PROTOCOL SOURCE LAST_HEARTBEAT          PRODUCT_NAME

----------    ---------  ------------- ------------- --- -------- ------ --------------          ------------

............. .SYSTEM.   1350NM0004    ............. ... ........ ...... .............           .............

172.23.4.345  ODADevMgt0 1348NML0H9    1350NM0004    Y   SNMP     ILOM   2017-10-20 12:03:01.206 SUN FIRE X4170 M3

172.22.5.778 ODADevMgt1 1348NML0HG    1350NM0004    Y   SNMP     ILOM   2016-03-14 12:30:04.662 SUN FIRE X4170 M3

172.23.2.111 ODADev0    1348NML0H9                  Y   SNMP     FMA    NA                      SUN FIRE X4170 M3 x86/x64 System

172.23.2.100  ODADev1    1348NML0HG                  Y   SNMP     FMA    NA                      SUN FIRE X4170 M3 x86/x64 System

Log in to My Oracle Support to complete the activation process.

 

Validate Support Identifier Access

To manage ASR assets, your My Oracle Support account must have the Administrator role or the “Admin” Assets Access privilege on the Support Identifier of the assets.
Login to My Oracle Support, click the “Settings” tab, then “My Account.” Then, check your role and privileges.

Note: For Oracle Support Providers: Your My Oracle account must have administrator privileges for the Partner Support Identifiers that are associated with the Indirect Customer Support Identifiers that are associated with the ASR assets

Contact the Administrator for your Support Identifier to get access

Approving ASR Activations

 The My Oracle Support Message Center, on the upper right of the screen, will indicate that you need to Approve ASR Assets.
If you do not have any ASR Assets to approve, you may not have the Administrator role or the “Admin” Assets Access privilege for the Support Identifiers of the Assets that have ASR Status = Pending.

 

 

Managing Multiple Assets

 Select one or more assets and then perform the operations as needed.

 

Assign a Contact and optional Email Distribution List.

 To complete ASR Activation each asset must have a Contact assigned. A Contact is a My Oracle Support user with the Create Service Request privilege on the Asset’s Support Identifier. The Contact becomes the customer owner of the Service Request opened by ASR and is sent an email notification.
If additional people need to be notified when ASR Service Requests are created, enter one or more email addresses, separated by commas, in the “Email Distribution List.”

 

 

Note for Oracle Support Provider Partners: 

The Contact must be a member of the Partner organization and not the Customer’s organization. The Contact must have the “Create Service Request” in the Partner Support Identifier associate with the Indirect Customer Support Identifiers that are associated with the ASR asset. The “Contact Name” list of values will only display contacts that meet these criteria.

Only the Partner is able to add/edit the Contact and E-Mail Distrbution and Approve/Deactivate ASR.

The My Oracle Support user needs to have the Adminstrator role or the Asset Administation privilege on the Partner Support Identifier associated with the Asset.

 

View Asset Details and ASR Status Information

 Within My Oracle Support, select the Systems tab to view Asset detail. If the Asset detail region is not displayed you might have to use the customize page feature to add the Assets region.

 

TEST EMAIL

Finally, simulate test e-mails from all your configured assets.

Log into the ASR Manager Server and run the following commands with the associated IPs for the assets:

asr> send_test -i 172.23.2.104Submitted test event for asset ODAProdMgt1

Verification email will be sent to xxx.xxx@company.ca

asr> send_test -i 172.23.2.103

Submitted test event for asset ODAProdMgt0

Verification email will be sent to xxx.xxx@company.ca

asr> send_test -i 172.23.2.125

Submitted test event for asset ODADevMgt0

Verification email will be sent to xxx.xxx@company.ca

asr> send_test -i 172.23.2.126

Submitted test event for asset ODADevMgt1

Verification email will be sent to xxx.xxx@company.ca
asr> send_test -i 172.23.2.221

Submitted test event for asset odaprod1

Verification email will be sent to xxx.xxx@company.ca
asr> send_test -i 172.23.2.226
Submitted test event for asset odadev0
Verification email will be sent to xxx.xxx@company.ca

asr> send_test -i 172.23.2.220

Submitted test event for asset odaprod0

Verification email will be sent to xxx.xxx@company.ca

asr> send_test -i 172.23.2.227

Submitted test event for asset odadev1

Verification email will be sent to xxx.xxx@company.ca
Share on:

More from this Author

Troubleshooting Oracle Database Environments Navigating Through inventory.xml Corruption Issues

Troubleshooting Oracle Database Environments: Navigating Through inventory.xml Corruption Issues

Encountering errors can often lead us down a rabbit hole of troubleshooting and investigative work. Recently, a scenario encountered highlighted the ... Read More

Troubleshooting and Resolving ORA 00283 and ORA 28374 Errors During Remote Pluggable Database Cloning

Troubleshooting and Resolving ORA-00283 and ORA-28374 Errors During Remote Pluggable Database Cloning

Introduction: Creating a clone of a remote pluggable database across a database link can be a powerful tool for managing and replicating data across ... Read More

Back to Top