In a previous post we discussed how to use Oracle Enterprise Manager (OEM) data with OCI to unlock new insights. In this blog, we dive deep into the topic of using OEM data with OCI to unlock greater insights.  We discuss how to configure OEM to use Cloud Management Gateway as a proxy between OEM Agents and OCI. This approach helps in complex environments where outbound Internet connectivity is permitted only from specific subnets or hosts. In this way, OCI Observability & Management (O&M) capabilities are adopted and used to maintian a strong security posture for on-premises infrastructure.

Let us consider a scenario where multiple Database servers are monitored by OEM in an on-premises setup.  You would like to enable insights to this data by sharing it with Oracle Cloud O&M platform services as discussed in the blog reference above.

Configure OEM to use Cloud Management Gateway

To avoid OCI outbound to connectivity from each OEM agent, use Cloud Management Gateway as a unique entry point to reach OCI services. To enable the entry point, open outbound HTTPS port to OCI from a single host in your network.  This can be the OEM host or a dedicated VM for Cloud Management Gateway.

This helps address the outbound network connectivity requirements from on-premises hosts to OCI API REST endpoints as below:

The configuration is simple and requires two steps:

• Install Cloud Management Gateway on a on-premises host of your choice
• Configure OEM Agent to use Cloud Management Gateway

Install Cloud Management Gateway

The communication between the gateway and OCI requires certificates. Choose to manually create certificates or use automatic method. In the example below, “Automatic Certificate Creation” is used.

Choose a compartment to create the required resources for Cloud Management Gateway and take note of compartment name and OCID:

• Name: <SAMPLECOMPARTMENT>
• OCID: <SAMPLECOMPARTMENT_OCID>

Then create the following dynamic groups and policies:

Using ssh, connect to the on-premises gateway host and install Java 8 (if not present). Expected output is similar to the one below:

Download gateway software RPM from OCI Console, navigating to “Observability & Management”, “Management Agents” and “Downloads & Keys”:

Install the RPM:

Now, the gateway is installed but it is not configured. We need to create a response file to finalize the configuration. See an example below.

The install key can be created (and downloaded) from OCI console, navigating to “Observability & Management”, “Management Agents” and “Downloads & Keys”:

Check OS firewall configuration on gateway host (port 4480 should be opened in ingress, to accept the connections from OEM agents). In this example, the firewall was disabled (dependent on individual network policies):

Next, execute setupGateway.sh command, that automatically creates on OCI the following resources (in the same compartment as Management Gateway):

1. OCI Vault OCI_MGMT_GATEWAY_VAULT
2. Certificate CA OCI_MGMT_GATEWAY_ROOT_CA
3. Certificate ocid1.managementagent.oc1.***

See the execution below:

After a few minutes, gateway will be in “Active” state on OCI Console:

Configure OEM Agents

Once the gateway is correctly configured, use it to forward OCI REST API calls from OEM agents.

For each host, enable the integration with OCI Observability & Management, apply the following properties:

And restart the agent:

To verify, check emd.properties file:

Expected output is similar to the following:

This blog outlines how to enable the OCI Bridge and complete the required setup to use OCI Operations Insights and OCI Logging Analytics for on-premises OEM targets. To understand more on how to get Oracle EM data into OCI Object Storage, see part 2 and part 3 of the series.

Resources

Troubleshooting OCI Operations Insights Service Setup from Enterprise Manager 13c (Doc ID 2913953.1)

EM13c : How To Configure OCI REST Connectivity via HTTP Proxy? (Doc ID 2852014.1)

Oracle Cloud Infrastructure Documentation – Management Gateway