Yeah, I made the mistake of trusting the FW team when they said they
properly implemented by FW requests. I just checked from our OEM server
that port 3872 and in some cases 1521 are still blocked. I'm currently
checking 4903 from the AWS back to OEM. Unfortunately FW rules are only
pushed Tues and Thurs, even if they made a mistake on something that
already passed.
In the meantime, is it safe to say that outside of adding my public SSH key
to the OEM server's $HOME/.ssh/authorized_keys file, then using a Named
Credential with a credential type of "SSH Key Credentials" should work? I
followed youtube vid "Oracle Enterprise Manager 12c: Create SSH Key Named
Credentials " which isn't directly for AWS EC2 but ideally should work.
Dave
On Thu, Jul 5, 2018 at 12:36 PM, <niall.litchfield@xxxxxxxxx> wrote:
I'd imagine that your firewall rules (either virtual or physical or both)
will require connectivity between your on-premises OEM and the off-premises
EC2 instances on the relevant ports. These are documented in the
surprisingly hard to find Note https://support.oracle.com/epmos/faces/
DocumentDisplay?id=2362242.1 2362242.1. If you have internal firewalls
this is probably old hat, but if you don't it's the most likely reason that
ssh succeeds but monitoring doesn't. You'll also need name resolution to be
consistent.
On Thu, Jul 5, 2018 at 5:45 PM Dave Herring <gdherri@xxxxxxxxx> wrote:
Folks,
(I've been given the task of setting up monitoring for a number of Oracle
databases on AWS EC2 and unfortunately given little to no guidance, so I
apologize upfront if my question seems rather basic.)
Has anyone set up management agents on AWS EC2 environments to monitor
from an OEM outside of AWS? We did something similar in the past for RDS
environments but I was hoping we wouldn't have to rely on the OEM AWS
plugin, which only provides a rather limited subset of functionality of OEM
for the envs.
Since we have SSH key pairs set up to reach the AWS servers, my
assumption was I could perform agent installations from OEM (which resides
outside of AWS), using pre-defined Named Credentials that use SSH key
pairs. Unfortunately it seems the connection can't be made that way
through OEM, although I did prove I COULD connect at the OS level using the
same method.
I did find a post by Pete Sharman from 5/2016 saying that under OEM 13c
we'd need to have an Amazon VPC configured and only then could a typical,
OEM to agent monitoring configuration and that the only other option is to
use the AWS plugin. But, that's just over 1yr old and I wasn't sure if
anything has changed since then.
Thx.
--
Dave
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
