This is definitly a post worthy as one of the members of the BAAG. The work was extensive (setup, config, install, checking) and afterwards the outcome could have been predicted, but I definitly know now what portnumbers are allocated by the Oracle Enterprise Manager Agent version 10.2.0.3.0 for SUSE 9.2 ES Linux (I386, 32bit).
I was wondering what those portnumbers were. In a customer enviroment, which uses multiple segments between (V)LAN’s, firewall rules are being applied. So imagine multiple LAN’s within a company which are defined by different ranges and trafic between them are controlled by multiple firewall rules / settings.
My Oracle Enterprise Manager Grid control, version 10.2.0.3.0, must be able to contact it’s OEM agents on one off those different network segments. I could not get this working so I asked the responsible network administratorfor advise. He didn’t had the time for it, to setup and / or trace it properly; therefore left the problem for me to solve (‘it’s Oracle stuff anyway” – “aren’t you be able to read it somewhere in one of the Oracle manuals”). Long story short…
Which port numbers have to be defined in the firewall to enable traffic between the Oracle Management Server and the Oracle Enterprise Manager Agent?
Management Server side
I have a setup with an Oracle Enterprise Manager Grid Control environment within a VMware server environment. The operating system used is a Windows 2003 Server (SP1) environment. The setup only allows connections on the default SSL port for the 10.2.0.3.0 software, that is port 1159. Also a password has to be initially provided to connect to this port so SSL certificates can be exchanged.
The OEM software has been installed on the Windows 2003 Server under a Windows user account called “oracle”, which has local administrator privileges. In other words, this account is able to address port numbers under the 1024 port number range. The OEM setup has been placed in a TCP/IP range, called DMZ3.
OEM Agent side
The test environment makes use of a Oracle Agent installation situated on SUSE 9.2 ES LINUX (32bit). After installing the software on SUSE, connecting to the OMS repository/software and exchanging certificates, the Oracle OEM agent is configured and the test page can be reached on port 3889.
The OEM agent software is installed with a fresh LINUX account with the name “oagent”. This “oagent” LINUX user has been given the default “oinstall”, “users”, sysdba and sysoper group privileges. In other words, this account is unable to address portnumbers under the 1024 port number range. The OEM agent is working on a machine that has been placed in a different TCP/IP range, called DMZ1.
Sniffer / Firewall set-up
After checking that the set-up was succesfully and the management environment and the agent were able to communicate with each other, all firewall rules between the two Demilitarized Zones (DMZ1 <—> DMZ3) were removed; All TCP trapic is allowed (also UDP traphic). On the physical machine where the VMware Windows Server environment was defined, “wireshark” software was installed. This way we were able to snif the packages going from and to the physical network card (NIC) that is used by the bridged setup of the VMware Windows Server. We were also able to sniff data packages via the firewall software.
Testing has been done, by executing commands, clicking and using the OEM pages. Also jobs were executed and regular SQL statements were fired via the execute SQL screen / web pages. Be-aware the iSQLPlus posibility has not been tested, because this will be a depricated tool and it was not configured.
Seen from the Oracle Agent side; traphic is build up by addressing a random socket number (a lot of them by the way, everytime randomly addressed). The data (mostly XML data) will be acknowleged and delivered on the OMS defined port 1159.
Actions from the OEM environment will also be initiated on a randomly choosen socket and then communicates only on the 3889 port of the OEM agent. The OEM agent returns its data on the 1159 port.
So OEM initiated processes are known by inbound and outbound traphic. The OEM Agent initiates only outbound traphic. All in all: regarding firewall rules only two ports are needed. Port 1159 and 3889.
All this is probably somewhere hidden in the documentation. Also, in hind side, this port numbers are reflecting the numbers shown via the “emctl status agent” statement in the OEM agent environment. Doing it the way as I described here, is cumbersome and a lot of work.
But be honest, know I know.