Unfortunately there is a LOT more than that.
Please review note 1664074.1, “Applying Enterprise Manager Recommended Patches”
for a full overview of everything there is to get done, and recommendations on
the order to apply them. This note was last updated in February 2018 so the
patch numbers in it will not be up to date and you’ll need to dig around to
identify the current patches (or run my script that I link to below).
Generally, these are the elements I keep patched for EM13c R2:
-Repository database with latest proactive patch bundle, OCW security patch,
JavaVM patch, and APEX patch
-Same DB patches for any AWR warehouse database used by EM
-Maintain correct/current/required versions of OPatch and OMSPatcher on all OMS
instances, and updated OPatch on all agents
-Maintain up-to-date Java 1.7 versions in the middleware home and on agents
(1.7.0_171 works for me, tried 1.7.0_201 this morning and had problems)
-Update agent-side plugins via self-update when new releases available
-OMS side plugin patching for 13.2.1 plugins, 13.2.2 plugins, 13.2.3 plugins
(current patches 27523593, 28628403, 28628415, respectively – apply all three)
-WLS in middleware home with quarterly PSU patches and other required security
patches (toplink=24327938, OSS=26591558)
-Current agent bundle patch on all agents (latest 28533438)
-Agent-side plugin bundle patches for all DISCOVERY plugins installed on all
agents
-Agent-side plugin bundle patches for all MONITORING plugins installed on all
agents
It’s a ton to deal with. I do not know what OS you run, but I have a bash
script that works on Linux, Solaris, and AIX, to evaluate your OMS and the
agent on the OMS server to identify all currently needed patches. You can
download it from:
https://raw.githubusercontent.com/brianpardy/em13c/master/checksec13R2.sh and ;
just run it as the user account that runs your OMS stack. It also includes
checks on security setup on the repository database like SQL*Net encryption
parameters, checksum algorithms and encryption algorithms, and will also check
for default/self-signed certificates on your OMS/agents, and makes sure that
SSLv3/TLSv1.0/TLSv1.1 and LOW or MEDIUM strength ciphersuites are disabled on
all of your OMS/WLS components. I don’t think this will work on Windows hosts
(needs bash, awk, grep, openssl).
If you configure an EM admin account for it to use along with all the necessary
saved/preferred credentials, then login to EMCLI with that account before
running my script, it will also use EM jobs to check all of your agents to make
sure they have the correct versions of OPatch, plugin bundle patches, Java, and
so on. I have a script to simplify creating that account on my github too. I
have a big blog post that describes both of these scripts:
https://pardydba.wordpress.com/2016/10/28/securing-oracle-enterprise-manager-13cr2/
Apologies for the self-promotion!
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Andrew Kerber
Sent: Thursday, October 18, 2018 12:07 PM
To: ORACLE-L <oracle-l@xxxxxxxxxxxxx>
Subject: oem 13.2 patching
I am trying to understand the oracle patch document for oracle OEM cloud
control 13c. Its a plain vanilla install, with just the standard agents and
plug ins. We have never patched it.
Reading through the document for Oct, can someone with experience please verify
my understanding. I am confident I understand the database patching, but the
cloud control patching isn't so clear to me.
As I read the document, I need to install these patches for cloud control, in
addition to the db patches.:
28717501<https://support.oracle.com/epmos/faces/ui/patch/PatchDetail.jspx?parent=DOCUMENT&sourceId=2433477.1&patchId=28717501>
for oms base platform oms home
28195767 for agent homes
Can someone with a little more experience on Cloud control patching please
verify that?
--
Andrew W. Kerber
'If at first you dont succeed, dont take up skydiving.'
