Configuring ASR Manager on Oracle ODA version 18.104.22.168.0 (SNMP v3 Security)
Oracle Auto Service Request is a warranty service offered under the bundled Oracle Premier Support for hardware support. This enables you to lean back and let Oracle take care of your repair requests and system part replacement needs of your ODA at no extra cost or headache. It centrally accepts hardware telemetry data sent from a group of ASR Assets. The ASR Manager then filters the incoming data and forwards potential fault telemetry to Oracle Backend systems. Music to your ears? Yes, but ASR does not come pre-installed and ready to go. Instead you need to install and configure the ASR Manager and Assets to enable this great Oracle feature.
The ASR Manager is always installed first, followed by ASR Assets. You have the option to install more than one instance of an ASR Manager. The reasons to do this may be to support a large amount of ASR Assets and/or for organisational reasons, such as grouping ASR Assets by data centre, etc., as needed.
The ASR Manager system itself can be installed as an ASR Asset. This way, the ASR Manager system can report its own hardware telemetry, as does an ASR Asset.
ASR Manager is supported on the following versions of Linux:
- Oracle Linux 5.3 or later
- Red Hat Enterprise Linux 6.3 or later
Run the following command as root user on the ODA node of choice to check the ASR version and OS version for compatibility:
oakcli show version -detail
In this case the Oracle Linux version (OL) is 6.8 which falls into the compatibility category.
Installing ASR Manager Software
ASR Manager systems require Oracle Java 7 – JDK 7 (JDK 1.7.0_13) or later JDK 7 updates or Oracle Java 8 (1.8.0_25 or later).
You can download the latest version from the Java SE Downloads page:
To check your version of Java, run the following from the ASR MANAGER ODA node:
Downloading Installation File
Download latest ASR version from My Oracle Support (Doc ID 1185493.1) and copy to the ASR Manager server node of choice
After logging into your My Oracle Support account, click on (Patches & Updates), then scroll down to Patch Search and enter Patch number 26612524 to search for the ASR Manager latest update to download (as shown in the screen shot below):
Select the version corresponding to your operating system, which in our case is (Linux x86-64):
Then download the corresponding file and copy to your ASR Manager server:
Verifying Your Network Connection
The ASR Manager system must have an internet connection – either a direct connection or through a proxy.
You must decide on one node of your ODA to serve as the ASR Manager node. Check and make note of the ASR Manager IP address. To obtain the IP address, run the following command(s) from the ASR Manager SERVER/ Node of choice:
# ifconfig -a # more /etc/hosts
Verifying My Oracle Support Requirements
You will need a valid MOS login name to install the ASR software components. Use your MOS account to validate key information about the systems targeted for ASR installation (for example, serial numbers).
Open a terminal window and make sure you are logged in to the ASR Manager Server node of choice as root. From the directory where you copied the zipped installation file to, unzip the ASR package as follows:
Then we will need to unpack the ASR package with the following command:
rpm -i <asrmanager-version_num-time_stamp>.rpm
As the installation progresses, you are prompted to make several selections.
Set ASR in the root environment file
To avoid the need to type the full path name for the ASR Manager asr command, you can apply the following option:
Add the asr command to the PATH environment variable. This update would be made to the root user’s .profile, .cshrc, .kshrc, or .bashrc files as needed as follows:
Create a symbolic link to the asr command in the /usr/bin directory:
ln -s /opt/asrmanager/bin/asr /usr/bin
Registering the ASR Manager
Log in to the ASR console:
If you have not set your PATH environment variable, run:
If you have set your PATH environment variable, run:
To register the ASR Manager:
Select the default “destination transport server” by hitting the enter key.
If you do not use a proxy server, then hit enter to move on to the next prompt.
Enter your Oracle SSO credentials when prompted (Ensure that this account is an administrator account that will have the ability to approve your assets)
Upon entry of your MOS credentials, ASR will validate the login. Once validated, the registration is complete.
Check the registration status of ASR:
A message is displayed on the screen indicating whether ASR is registered with
the transport server.
To be sure that ASR can send information to the transport server:
This command sends a test message (ping) to the transport server.
Upon successful results of the above commands, the registration of the ASR
Manager is complete.
ASR uses ILOM telemetry sources to detect fault events on Oracle Database Appliance hardware. ILOM provides fault information, power and environmental, and CPU and memory fault information from the service processor.
Configuring ASR Manager for SNMP v3
ASR Manager supports two SNMP v3 telemetry sources: ILOM 3.0.16 and later and M-Series XSCF
SNMP v3 provides security (encryption and authentication) for any communication between an ASR asset. To configure your designated ASR Manager to allow ASR assets to use SNMP v3 through ILOM or M-Series XSCF, you must create an SNMP v3 user:
ILOM Setup: SNMP v3 for ASR Assets
Check your configuration with the following command:
# cat /opt/oracle/oak/onecmd/onecommand.params|grep ASR
You can run the following from the asr manager node:
# cat /opt/oracle/oak/onecmd/onecommand.params|grep ILOM
Use ssh to the IP address of the ILOM network interface and log in as root:
Run the following command:
The minimum version of ILOM that supports the AES privacy protocol for SNMP v3 is ILOM 3.0.16 and later.
Log in to the Oracle ILOM CLI.
To view the Oracle ILOM SNMP properties:
-> show /SP/services/snmp
Log in to the ILOM service processor as root and change to the snmp directory:
-> cd /SP/services/snmp
Run the following to check where engine id has been assigned a value:
-> show /SP/services/snmp engineid
Here, you will need to define an engineid for your ILOM node in case there is none in order for it to work with SNMPV3. The value of engineid must be 25 characters or less.
We have decided to set an engine of “ECLODIL0”:
-> set /SP/services/snmp engineid=ECLODIL0 -> show /SP/services/snmp engineid
Create an SNMP v3 user:
In this instance, we have decided to create an snmpv3 user named “snasr”
On the ILOM cli interface:
-> cd /SP/services/snmp/users -> create snasr authenticationprotocol=SHA authenticationpassword=Ecloda12 privacyprotocol=AES privacypassword=Ecloda12
(length must be at least 8 characters, less than 13 for authentication password and exactly 8 for privacy password, and must consist of upper and lowercase letters and numbers only)
To confirm the created user, run the following:
-> show /SP/services/snmp/users/snasr
Ensure that all ILOMS are fitted with the same snmpv3 user and same alert rule configuration.
CREATION OF SNMPV3 USER ON ASR MANAGER
To configure your designated ASR Manager to allow ASR assets to use SNMP v3 through ILOM or M-Series XSCF, you must create an SNMP v3 user. This user must have authentication exactly as created on the ILOMS earlier.
Run the following at the asr prompt:
asr> add_snmpv3_user -u snasr -e [ECLODIL0,ECLODIL1] -pp AES
The command above adds an asr user and includes the engine ids of the ILOMS that should be monitored via snmpv3.
After that, run the following commands to validate the user in ASR:
asr> show_snmpv3_user asr> validate_snmpv3_user
ASR Manager only supports the SHA protocol for authentication. It supports AES (ILOM) and DES (M-Series XSCF) for privacy and encryption.
The authentication password is case-sensitive and must contain 8 to 16 characters, with no colons or space characters. ASR Manager supports only two SNMP v3 users at this time.
Creating ILOM Test Alerts
From a web browser, access the IP address of the ILOM interface (note: https) and log in as root:
From the menu, select Configuration, then select Alert Management.
The Alert Setting screen lists 15 possible Alert IDs that can be configured to send ILOM telemetry. Alert ID slots that are occupied by existing alert settings are shown along with their alert parameters. Choose an Alert ID that is not used by selecting the radio button next to the Alert ID number.
Unused Alert IDs are mainly indicated by the disable setting in the Level column and by all zeros in the Destination Summary column.
- Select Edit from the Actions pull-down menu.
- Enter data in this screen as follows:
- Level: Select Minor from the pull-down menu.
- Type: Select SNMP Trap from the pull-down menu.
- IP Address: Enter the IP Address of the ASR Manager system.
- Destination Port: Set to port 162. For ILOM versions 22.214.171.124 or lower, the port cannot be changed from the default (162).
If you are using ILOM 3.0.16 or above and want to enable SNMP v3,
- Select SNMP Version =V3
- User Name: snasr (as created earlier on ILOM cli)
- Click the Save button.
- Repeat for each ASR asset required for ILOM telemetry.
To generate a test alert from ILOM:
From the ILOM GUI: In the Alert Settings page, select the alert you want to test and then click the Send Test Alert button. ILOM generates a test event for the selected alert. If configured properly, you will receive a test Service Request e-mail.
If you want to do this via the command line, from the ILOM CLI: Type the following command paths to set the working directory:
-> cd /SP/alertmgmt/rules
Type the following command to generate a test alert:
-> set testalert=true show /SP/alertmgmt/rules/2 /SP/alertmgmt/rules/2 Targets: Properties: type = snmptrap level = minor destination = 10.15.10.52 destination_port = 162 community_or_username = public snmp_version = 3 testrule = (Cannot show property) Commands: cd set show set engineid=ECLODIL1
Verify that the test alert is received to the ASR Manager. Check for the test alert in the ASR Manager log file:
View of log:
If you don’t see any entry in the log representing the test alert on the ASR Manager Server then it is possible that the port 162 has been held by another service.
To search for who’s holding the SNMP port 162, “snmptrap”, use the following process on the asr manager server:
# lsof | grep UDP | grep “:snmptrap”
It’s usually another process called “snmptrapd”:
ps -ef | grep snmptrapd | grep -v grep
Fix this issue by doing the following:
# chkconfig snmptrapd off # service snmptrapd stop
Login to the asr prompt and restart asr for the changes to take effect:
Connect back to the ILOM interface where the testing of the alert was taking place earlier and run the ff to continue the alert testing.
Properties: type = snmptrap level = minor destination = 10.15.10.52 destination_port = 162 community_or_username = public snmp_version = 3 testrule = (Cannot show property) Commands: cd set show set engineid=ECLODIL1 cd /SP/alertmgmt/rules /SP/alertmgmt/rules set testalert=true Set '/X/alertmgmt/rules/testalert' to ‘true'
Repeat the above steps on all ILOMS you want monitored by the ASR Manager.
Activating ASR Assets
Open a terminal window and log in as root on the ASR Manager system.
Run the following activate command for each ASR asset. Be sure to use the IP or
host name of the ASR asset system.
asr> activate_asset -i [IP address]
asr> activate_asset -h [host name]
asr> activate_asset -i 172.23.2.155 ODAProdMgt1 : 1 service tags Successfully submitted activation for the asset Host Name: ECLProdMgt1 IP Address: 126.96.36.199 Serial Number: FIUKSHJ67BY7 The e-mail address associated with the registration id for this asset's ASR Manager will receive an e-mail highlighting the asset activation status and any additional instructions for completing activation. Please use My Oracle Support http://support.oracle.com to complete the activation process. The Oracle Auto Service Request documentation can be accessed on http://oracle.com/asr. asr> activate_asset -i 172.23.2.200 odaprod0 : 2 service tags Successfully submitted activation for the asset Host Name: ECLprod0 IP Address: 172.23.2.200 Serial Number: BANKUDADE32
The e-mail address associated with the registration id for this asset's ASR Manager will receive an e-mail highlighting the asset activation status and any additional instructions for completing activation. Please use My Oracle Support http://support.oracle.com to complete the activation process. The Oracle Auto Service Request documentation can be accessed on http://oracle.com/asr. asr> list_asset IP_ADDRESS HOST_NAME SERIAL_NUMBER PARENT_SERIAL ASR PROTOCOL SOURCE LAST_HEARTBEAT PRODUCT_NAME ---------- --------- ------------- ------------- --- -------- ------ -------------- ------------ ............. .SYSTEM. 1350NM0004 ............. ... ........ ...... ............. ............. 172.23.4.345 ODADevMgt0 1348NML0H9 1350NM0004 Y SNMP ILOM 2017-10-20 12:03:01.206 SUN FIRE X4170 M3 172.22.5.778 ODADevMgt1 1348NML0HG 1350NM0004 Y SNMP ILOM 2016-03-14 12:30:04.662 SUN FIRE X4170 M3 172.23.2.111 ODADev0 1348NML0H9 Y SNMP FMA NA SUN FIRE X4170 M3 x86/x64 System 172.23.2.100 ODADev1 1348NML0HG Y SNMP FMA NA SUN FIRE X4170 M3 x86/x64 System
Log in to My Oracle Support to complete the activation process.
Validate Support Identifier Access
To manage ASR assets, your My Oracle Support account must have the Administrator role or the “Admin” Assets Access privilege on the Support Identifier of the assets.
Login to My Oracle Support, click the “Settings” tab, then “My Account.” Then, check your role and privileges.
Note: For Oracle Support Providers: Your My Oracle account must have administrator privileges for the Partner Support Identifiers that are associated with the Indirect Customer Support Identifiers that are associated with the ASR assets
Contact the Administrator for your Support Identifier to get access
Approving ASR Activations
The My Oracle Support Message Center, on the upper right of the screen, will indicate that you need to Approve ASR Assets.
If you do not have any ASR Assets to approve, you may not have the Administrator role or the “Admin” Assets Access privilege for the Support Identifiers of the Assets that have ASR Status = Pending.
Managing Multiple Assets
Select one or more assets and then perform the operations as needed.
Assign a Contact and optional Email Distribution List.
To complete ASR Activation each asset must have a Contact assigned. A Contact is a My Oracle Support user with the Create Service Request privilege on the Asset’s Support Identifier. The Contact becomes the customer owner of the Service Request opened by ASR and is sent an email notification.
If additional people need to be notified when ASR Service Requests are created, enter one or more email addresses, separated by commas, in the “Email Distribution List.”
Note for Oracle Support Provider Partners:
The Contact must be a member of the Partner organization and not the Customer’s organization. The Contact must have the “Create Service Request” in the Partner Support Identifier associate with the Indirect Customer Support Identifiers that are associated with the ASR asset. The “Contact Name” list of values will only display contacts that meet these criteria.
Only the Partner is able to add/edit the Contact and E-Mail Distrbution and Approve/Deactivate ASR.
The My Oracle Support user needs to have the Adminstrator role or the Asset Administation privilege on the Partner Support Identifier associated with the Asset.
View Asset Details and ASR Status Information
Within My Oracle Support, select the Systems tab to view Asset detail. If the Asset detail region is not displayed you might have to use the customize page feature to add the Assets region.
Finally, simulate test e-mails from all your configured assets.
Log into the ASR Manager Server and run the following commands with the associated IPs for the assets:
asr> send_test -i 172.23.2.104Submitted test event for asset ODAProdMgt1 Verification email will be sent to firstname.lastname@example.org asr> send_test -i 172.23.2.103 Submitted test event for asset ODAProdMgt0 Verification email will be sent to email@example.com asr> send_test -i 172.23.2.125 Submitted test event for asset ODADevMgt0 Verification email will be sent to firstname.lastname@example.org asr> send_test -i 172.23.2.126 Submitted test event for asset ODADevMgt1 Verification email will be sent to email@example.com asr> send_test -i 172.23.2.221 Submitted test event for asset odaprod1 Verification email will be sent to firstname.lastname@example.org asr> send_test -i 172.23.2.226 Submitted test event for asset odadev0 Verification email will be sent to email@example.com asr> send_test -i 172.23.2.220 Submitted test event for asset odaprod0 Verification email will be sent to firstname.lastname@example.org asr> send_test -i 172.23.2.227 Submitted test event for asset odadev1 Verification email will be sent to email@example.com