Category Archives: Uncategorized

EM13c R2 13.2.2 plugins – Missing metrics after 20170531 bundle patches

After installing the 20170531 plugin bundle patches for the 13.2.2 plugin line of EM13c R2, I noticed that the “Metrics and Collection Settings” page on all of my database instance targets suddenly changed, and only showed about 10 metrics, compared to the dozens usually displayed. I also noticed a related symptom, that various metric collections resulting in a warning status that appeared as events suddenly lost the “Reevaluate metric alert” option on the Incident Manager page, which I use to clear alerts when, for example, OS audit files take up enough space to flag an alert.

To recover the “reevaluate metric alert” link and the full list of metrics on the settings page, I re-applied my database monitoring template to my database targets. That brought everything back to working the way it did before. I have not investigated the root cause of this issue, and I don’t know what an admin should do if they encounter this problem but do not use monitoring templates. I assume that some kind of metadata refresh occurs when applying templates which allows the OMS to process them correctly after the version upgrade with the plugin bundle patches.

Advertisements

Script to automate lock down of all EM13cR2 agents to HIGH strength ciphersuites

[EDIT 20170420: Upgraded script to version 1.1. No functionality changes, but added instructions to download+install unlimited strength policy .jar files to allow the use of even stronger ciphersuites such as TLS_RSA_WITH_AES_256_CBC_SHA256.]
This post releases a new script, secure_agent_ciphersuites.sh, which uses EMCLI to set the SSLCipherSuites agent property on all EM13c R2 agents to the value “SSL_RSA_WITH_3DES_EDE_CBC_SHA”, in order to lock agent endpoints down to HIGH strength ciphersuites. By default, EM13c R2 agents allow two MEDIUM strength ciphersuites in addition to the one HIGH strength: SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA. If you login to EMCLI as SYSMAN and have preferred host credentials configured, then run this script, it will identify all of your agents, set SSLCipherSuites as needed, and restart agents to bring them into compliance.

This script supplements my existing script to lock down EM13c agents to TLSv1.2 and configured your agents in a way that passes the security checks implemented in my EM13c R2 security checkup script.