Pre-requisites for monitoring Oracle Cluster
The following pre-requisites must be satisfied before you start monitoring Oracle Cluster to enable the eG agent to access the truststore where the certificates are stored to connect with the target cluster and collect metrics.
TrustStore is used to store certificates from Certified Authorities (CA) that verify and authenticate the certificate presented by the server in an SSL connection. The SSL certificate obtained from the certificate authority needs to be imported into the Java truststore.
-
For this a JKS file has to be created using the following command in <eG_INSTALL_DIR>jre/lib/security.
keytool -genkey -alias ca -keyalg RSA -keystore mytruststore.jks -keysize 2048 -validity 3650 -storetype JKS -storepass changeit -keypass changeit -dname "CN=mydomain.com, OU=IT, O=My Company, L=My City, ST=My State, C=My Country"
The following inputs from the above command can change according to the requirements of your environment:
alias : an alias name for the certificate being generated
-keypass : a password used to protect the key that is generated; ensure that you provide the same values for -keypass and -storepass.
-keyalg : specifies the algorithm that is used to generate the keys. The options are as follows:
-
DSA: Digital Signature Algorithm
-
RSA : An algorithm used for public-key cryptography
-keystore : the keytool command stores the generated key in a .jks file; provide a name for this file as input to the -keystore command. For example, mytruststore.jks.
-keysize : the size of the key that is generated; the minimum key size that we recommend is 2048 bits
-validity : indicates the number of days for which the key/certicate will be valid - 1095 days refer to 3 years.
-
-
Then, copy this default location <eG_INSTALL_DIR>jre/lib/security/mytruststore.jks.
-
Import the certificate to the mytruststore.jks using the following command, replacing variables as noted below:
keytool -trustcacerts -keystore <eG_INSTALL_DIR>jre/lib/security/mytruststore.jks -storepass changeit -alias $ALIAS -importcert -file $CERT
-
Replace $CERT with the path to your certificate that you previously installed to the system.
-
Replace $ALIAS with the preferred alias to be used in the truststore.
-
Note that changeit is the default password for Java's mytruststore.jks file. Check whether it has been changed on your system.
-
-
To ensure that the external agent is able to execute the Oracle RAC SQL Network Test in an SSL enabled Oracle Cluster, make sure to perform the above-mentioned steps in the external agent also.