Intended Audience: Oracle Enterprise Manager (OEM) Cloud Control Administrators
Purpose: This document provides a guideline for how to implement Auto Discovery in OEM 12c. It is not a detailed build document or cookbook. Its purpose is to provide experienced OEM administrators a quick start and avoid pitfalls.
Requirements
As with any implementation, knowing the requirements for Auto Discovery is critical. Know who the customer is and get their requirements. The most critical input required is the list of VLANs to scan and the specific ports to scan for in your environment.
Summary
Setting up Auto Discovery has the following basic steps:
- Setup Scanning Account
- Determine Scanning Host(s)
- Setup Privilege Delegation
- Create Scanning Account Credential
- Configure Auto Discovery
Setup Scanning Account
The operating system account used to perform the scans must have permission to execute nmosudo as root. In OEM 12c Release 3, nmosudo can be found in the sbin directory which is under the AGENT_BASE directory; for example, AGENT_BASE/sbin/nmosudo. Note that in earlier versions, sbin was under the MIDDLEWARE_HOME which meant its location changed every time an upgrade occurred requiring sudo permissions on this account to change every release. If you are using an older version make sure you locate nmosudo as the full path is required for sudo.
When Auto Discovery is executed, nmosudo will then call nmap which is part of the OEM installation, not the nmap that is part of the OS distribution. In R3, nmap can be found at AGENT_INST/discovery/nmap/bin/nmap. Note that sudo can be implemented in a very granular manner and nmosudo may not be able to invoke nmap in your environment. In that case, you need to explicitly allow the scanning account to execute nmap as root as well.
Determine Scanning Agent(s)
You can perform the scan from any host that has an OEM agent installed. You may want to choose multiple hosts to share the workload and/or provide high availability. It is not unusual to use the Oracle Management Server hosts for this task.
Setup Privilege Delegation
The host that will perform the scan need to be setup for privilege delegation as the scanning account needs to be configured with sudo to root. Root is required in order to scan the low order privileged ports such as 22 and 80.
Go to Setup/Security/Privilege Delegation and select the host(s) to be used for the scan. Click on the edit icon and select the Sudo radio button and then enter:
sudo -E -u %RUNAS% %COMMAND%
Note that the -E allows the passing of your environment to the command that is invoked. Some environments do not allow this for security reasons. If so, you can leave the -E off as running nmap does not require any environment variables to be passed.
Create Scanning Account Credential
Next we need to create the credential for the scanning account as this is required to configure Auto Discovery. Go to Setup/Security/Named Credentials.
Create a host credential and make sure to specify Run Privilege as Sudo and Run as root. Test the credential against one of the scanning hosts and save.
Configure Auto Discovery
Go to Setup/Add Target/Configure Auto Discovery. Click the wrench icon next to Host and Oracle VM Manager.
Click Create.
Give the Job a meaningful name based on what it is you are going to scan.
Click Add and then search for and select the agent or agents you wish to scan from (the ones configured for Privilege Delegation above).
Click Edit Nmap Scan Services and Ports and add and/or remove ports you wish (or do not wish) to scan. Note that these are in addition to any ports that OEM will always scan for. Make sure that if you use non-default ports for services, you specify the ports here or they may be missed by the scan.
In IP Ranges to Scan, enter the IP addresses or hostnames to scan. CIDR codes are accepted so typically you’ll want to enter the VLANs you want to scan by their CIDR code values.
Under schedule choose whether or not this is a repeating scan and when it should occur. You’ll generally want to perform these on a repeating schedule to catch any new hosts that are added to the environment.
Under Credentials, select Named and then choose the named credential that was created above.
Click Save and Submit Scan and monitor the results