Sunday, July 7, 2013

Getting Oracle Enterprise Manager Cloud Control to talk to Amazon RDS Instances

Getting Oracle Enterprise Manager Cloud Control to talk to Amazon RDS Instances

Oracle provides an OEM Cloud Control plug-in to monitor Amazon RDS Instances, and while the majority of the Installation Guide is straight forward, it fails to give you some rather vital information to get things working. The purpose of this post is to provide you with the missing information.

It is assumed you have your RDS Instance up and running along with Oracle Enterprise Manager Cloud Control, you will also need at least one OEM Agent.

Let's begin.

1. Download the Oracle Enterprise Manager for Amazon Web Services (AWS) Plug-in from http://www.oracle.com/technetwork/oem/grid-control/downloads/oem-aws-plugin-1852739.html

2. Follow the Instructions in the downloaded guide up to the Add Targets for Monitoring section.

We now need to go and get some additional information


3a. Get Amazon Relational Database Service (RDS) endpoint
eg. for Asia Pacific (Sydney) Region it is rds.ap-southeast-2.amazonaws.com

3b. Get Amazon CloudWatch Endpoint         
eg. for Asia Pacific (Singapore) Region it is monitoring.ap-southeast-1.amazonaws.com

4.  Download the public certificate for Amazon RDS at https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem 

4a. You will now need to import that certificate into your keystore. You can import the certificate using the keytool utility.

#  keytool -import -noprompt -trustcacerts -alias amazonrds -file rds-ssl-ca-cert.pem -keystore /u01/app/oracle/Middleware/jdk16/jdk/jre/lib/security/cacerts -storepass password

The default password changeit and you can name the alias to be whatever you want, I have used amazonrds.

4b. Confirm you added it by running the following command.


# keytool -list -keystore /u01/app/oracle/Middleware/jdk16/jdk/jre/lib/security/cacerts | grep -i amazonrds


5. Now add the target RDS Instance to OEM Cloud Control. You can add it using the command line, or through Cloud Control, via the Setup -> Add Target menu.
For this example we will use the command line.
Login into emcli:
# emcli login -username=sysman -password=sysman_password
# emcli sync
# emcli add_target -name="TARGET_DATABASE" -type="AmazonRDSService" -host="hostwithagent.com" -properties="ProxyHost=proxy.com;ProxyPort=8080;RDS_BaseURI=https://rds.ap-southeast-2.amazonaws.com;BaseURI=http://monitoring.ap-southeast-1.amazonaws.com;InstanceId=INSTANCENAME;Period=300"  -subseparator=properties="="
  • ·         TARGET_NAME is the name you will see in OEM
  • ·         host is the host running the Management Agent, probably the same as your OMS host.
  • ·         Proxy and proxy port are only needed if you access the internet through a proxy.
  • ·         RDS_BaseURI is from step 3a
  • ·         BaseURI is from step 3b
  • ·         INSTANCENAME is the RDS Instance Name


# emcli set_monitoring_credential -set_name="AWSKeyCredentialSet"  -target_name=" TARGET_DATABASE "  -target_type="AmazonRDSService" -cred_type="AWSKeyCredential"  -attributes="AccessKeyId:accesskey;SecretKey:secretkey"
  • ·         accesskey and secret key are provided when your Amazon account is setup, I would recommend setting up an account just from Monitoring.


# emcli set_monitoring_credential  -set_name="SSLTrustStoreCredentialSet"  -target_name="TARGET_DATABASE"  -target_type="AmazonRDSService"  -cred_type="StoreCredential"  -attributes="StoreLocation:/u01/app/oracle/Middleware/jdk16/jdk/jre/lib/security/cacerts;StoreType:JKS;StorePassword:password"
  • ·         StoreLocation is the location of your cacert file in the JAVA_HOME directory.
  • ·         password is the keystore password, default is changeit


That’s it!

I hope this post has helped, and please let me know if there are any errors or omissions.