Fixing file permission problems on Grid Control targets

When installing Grid Control agents on a Linux or Unix platform, a recommended practice is to install as a user that doesn't own the ORACLE_HOMEs to be monitored. This poses a challenge when configuring monitoring for some targets, particularly those based on Oracle Application Server 10g. For security purposes, file and directory permissions on some ORACLE_HOMEs are fairly restrictive, and the Grid Control agent can't read all of the files necessary for target discovery and metric collection. The Grid Control release notes mention this complication, and Metalink Note 437078.1 provides additional suggestions for resolving discovery and metric collection errors related to file permission restrictions on a target ORACLE_HOME. I can't reveal the content of the Metalink My Oracle Support Note, and the information in the publicly-available Release Notes provides inadequate coverage, but the overall problem-solving method reduces to:

  1. Make sure that the owner of the agent software is in the same group as the owner of the monitored target software
  2. Check the agent log files for file permission errors, and fix them.

My experience so far indicates that fixing some errors tends to reveal others. Who doesn't love a rousing game of log file whack-a-mole? In the interest of saving others a few rounds of this, I'm offering up a few additional permission change steps that could make your lives easier. For ease of navigation, I've broken things into the following sections:

Disclaimer: When considering making the changes I describe below, please consider the trade-off you are making: more robust monitoring at the expense of some level of security. The perceived degree of sacrifice will vary from person to person and organization to organization. I would argue that the benefits outweigh the risks, and since Oracle itself suggests similar changes, this is clearly not a cut-and-dried issue. Hey, if doing the right thing were always easy, this job wouldn't be any fun, right? ;-)

Please feel free to leave any similar tips (or links to your own posts about this topic) in the comments.

Oracle Application Server

Note 437078.1 is a good start, but there are a few additional items I found to ease metric collection and discovery errors for Oracle 10g App Server. ORACLE_HOME refers to the location of the 10gAS software. Depending on the application server components installed on your system, you may need to change more or fewer permissions.

chmod g+rx $ORACLE_HOME/webcache
chmod g+r $ORACLE_HOME/webcache/*.xml
chmod g+rx $ORACLE_HOME/portal
chmod g+rx $ORACLE_HOME/portal/conf
chmod g+rx $ORACLE_HOME/discoverer
chmod g+rx $ORACLE_HOME/discoverer/config
chmod g+rx $ORACLE_HOME/forms
chmod g+rx $ORACLE_HOME/forms/server
chmod g+rx $ORACLE_HOME/ldap
chmod g+rx $ORACLE_HOME/ldap/das
chmod g+rx $ORACLE_HOME/uix
chmod g+rx $ORACLE_HOME/ultrasearch
chmod g+rx $ORACLE_HOME/ultrasearch/webapp
chmod g+rx $ORACLE_HOME/ultrasearch/webapp/config
chmod g+rx $ORACLE_HOME/jpi
chmod g+rx $ORACLE_HOME/jpi/doc
chmod g+rx $ORACLE_HOME/Apache/oradav
chmod g+rx $ORACLE_HOME/Apache/oradav/conf
chmod g+rx $ORACLE_HOME/Apache/jsp
chmod g+rx $ORACLE_HOME/Apache/jsp/conf
chmod g+rx $ORACLE_HOME/Apache/modplsql
chmod g+rx $ORACLE_HOME/Apache/modplsql/conf
chmod g+rx $ORACLE_HOME/sso
chmod g+rx $ORACLE_HOME/sso/conf

Database targets

Some environments (for example, the 10gAS infrastructure database) will require permission changes to effectively monitor database and listener targets. You may find the scope of these changes to be a bit broad; at some point I got tired of chasing down individual files and just hit them all with the same hammer. :-) In this case, ORACLE_HOME refers to the ORACLE_HOME of the RDBMS software.

find $ORACLE_HOME/admin -type d -exec chmod g+rx {} \;
find $ORACLE_HOME/admin -type f -exec chmod g+r {} \;

find $ORACLE_HOME/network -type d -exec chmod g+rx {} \;
find $ORACLE_HOME/network -type f -exec chmod g+r {} \;

find $ORACLE_HOME/rdbms -type d -exec chmod g+rx {} \;
find $ORACLE_HOME/rdbms -type f -exec chmod g+r {} \;

## The following are needed for database health checks to work properly...
chmod g+rx $ORACLE_HOME/dbs
chmod g+rw $ORACLE_HOME/dbs/hc*

Another general configuration note for the database listener, which I stumbled upon when setting up monitoring for a Secure Enterprise Search repository database: If sqlnet.ora is configured with TCP.VALIDNODE_CHECKING=yes, then the server that hosts the Grid Control OMS needs to be added to the list of hosts defined by TCP.INVITED_NODES. Otherwise, you'll get messages like this when attempting to add the database target, even if all monitoring credentials are correct:

Failed to connect to the database: Io exception: Got minus one from a read call 
The Connect Descriptor was (description=(address=(host=ses.myorg.com)(protocol=tcp)(port=xxxx))
(connect_data=(service_name=SESdb)(instance_name=SESdb)(UR=A)))</pre>
And corresponding messages in the listener log:
<pre>TNS-12546: TNS:permission denied
 TNS-12560: TNS:protocol adapter error
  TNS-00516: Permission denied

Of course, after adding the OMS host to TCP.INVITED_NODES in sqlnet.ora, you need to tell the listener that you've made a change before the OMS will be able to connect to the database and add it as a target:

oracle@ses:~> lsnrctl  reload

LSNRCTL for Linux: Version 10.1.0.5.0 - Production on 05-DEC-2008 10:58:45

Copyright (c) 1991, 2004, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ses.myorg.com)(PORT=xxxx)))
The command completed successfully

Oracle Collaboration Suite Calendar Server

These commands will resolve some issues with metric collection for OCS Calendar Server. I suspect that the intersection of Collaboration Suite administrators (a small set) and readers of this blog (a vanishingly small set) is probably zero, but Google works in mysterious ways. ORACLE_HOME refers to the OCS software location, not the Grid Control agent home.

chmod g+rx $ORACLE_HOME/ocal/bin
chmod g+rx $ORACLE_HOME/ocal/bin/uniwho
chmod g+rx $ORACLE_HOME/ocal/bin/unireqdump
chmod g+rx $ORACLE_HOME/ocal/bin/uniping
chmod g+rx $ORACLE_HOME/ocal/bin/unistatus
chmod g+rx $ORACLE_HOME/ocal/sbin
chmod g+rx $ORACLE_HOME/ocal/sbin/who
chmod g+rx $ORACLE_HOME/ocal/sbin/reqdump
chmod g+rx $ORACLE_HOME/ocal/sbin/ping
chmod g+rx $ORACLE_HOME/ocal/sbin/status
chmod g+rx $ORACLE_HOME/ocal/oem
chmod g+rx $ORACLE_HOME/ocal/oem/scripts
chmod g+rx $ORACLE_HOME/ocal/oem/scripts/ocal_ps.pl
chmod g+rx $ORACLE_HOME/ocal/oem/scripts/ocal_dbsize.pl
chmod g+rx $ORACLE_HOME/ocas
chmod g+rx $ORACLE_HOME/ocas/linkdb
chmod g+rx $ORACLE_HOME/ocas/sessiondb
chmod g+rx $ORACLE_HOME/lib
chmod g+rx $ORACLE_HOME/ocal/lib
chmod g+r $ORACLE_HOME/ocal/lib/*.so
chmod g+rx $ORACLE_HOME/ocal/db
chmod g+rx $ORACLE_HOME/ocal/db/nodes
find $ORACLE_HOME/ocal/db/nodes -type d -exec chmod g+rx {} \;
find $ORACLE_HOME/ocal/db/nodes -type f -exec chmod g+r {} \;

E-Business Suite

Setting these permissions in an E-Business Suite R12 instance resolved some metric collection errors of the form

Couldn't open INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/oafm/orion-application.xml: Permission denied at AGENT_HOME/sysman/admin/scripts/ias/simpleXPath.pm line 116

These errors may not manifest in 11i, since that version's tech stack is not based on 10gAS. INST_TOP is the "Instance TOP" environment variable for the R12 Apps installation, and serves as a reminder to connect as the Apps owner (not database software owner) to run these commands.

chmod g+r $INST_TOP/ora/10.1.3/j2ee/forms/config/jms.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/forms/application-deployments/forms/orion-application.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/forms/application-deployments/forms/formsweb/orion-web.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oacore/config/jms.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oacore/application-deployments/oacore/orion-application.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oacore/application-deployments/oacore/html/orion-web.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/config/jms.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/oafm/orion-application.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/oafm/webservices/orion-web.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/mapviewer/orion-application.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/mapviewer/web/orion-web.xml
chmod g+r $INST_TOP/ora/10.1.3/j2ee/oafm/application-deployments/ascontrol/orion-application.xml

3 Comments

  1. Philani
    Posted 29 August 2011 at 2:33 | Permalink

    Hi John,

    Very nice article, do we have something similar for 11g. I need to give access to other users (ORACLE_HOME - Fusion Middleware 11g) to be able to compile forms using the frmcmp script. I just need proper permissions for 11g as we had for 10g (437078.1).

    Regards,
    Philani

  2. Posted 3 September 2011 at 9:36 | Permalink

    Hi Philani,

    Your situation sounds different than the problem that I'm trying to solve with this post, but it should hopefully be less complicated. Since you are considering granting execute access on frmcmp to a broader group of users, however, it is worthwhile to consult with Oracle Support to make sure that you aren't violating a recommended security practice.

    Regards,

    John P.

  3. Philani
    Posted 6 September 2011 at 7:42 | Permalink

    Hi John,

    Metalink note 437078.1 worked very well for OAS 10.1.2.x. I did log an SR with Oracle; they suggested using the sudo utility for Forms 11g. The problem with using sudo is; frmcmp script calls hundreds of scripts/modules/libraries inside the ORACLE_HOME which defeats the purpose of protecting ORACLE_HOME. We would end up granting execute privs to all the files inside the ORACLE_HOME.

    Fusion Middleware Installation Guide for Oracle Portal, Forms, Reports and Discoverer 11g Release 1 (11.1.1)" --> "2.3.2 Installing as a Non-Default User":

    http://download.oracle.com/docs/cd/E17904_01/install.1111/e10421/install.htm#CHDBFCBC

    On UNIX operating systems, the installation of Fusion Middleware products is owned and controlled as a known user (for example, "oracle"). The file
    permissions associated with this installation are configured to ensure the highest level of security possible, which by default are 700 (meaning all files are owned and accessible by the owner only).

    Changing the default permissions settings will reduce the security of the installation and possibly your system. Therefore, making such a change is not
    recommended. If access to particular files or executables is required by other users, the UNIX sudo command (or other similar command) should be
    considered in lieu of changing file permissions..."

    Regards,
    Philani

One Trackback

  1. [...] When an E-Business Suite system is behaving in a way that suggests one or two mangled (some say "corrupt," but I try not to be judgmental) configuration files, a common first response is to run Autoconfig to see if the system can sort itself out. Running Autoconfig is also frequently necessary during the course of normal maintenance, e.g. during some patching, or when renaming/relocating Oracle Apps nodes. This weekend, I was reminded of an interesting side effect of running Autoconfig. After the process was complete, Grid Control started reporting metric collection errors and "Unknown" status for some components on the application tier nodes. In this case, Autoconfig was just doing its job, generating new versions of configuration files for the apps tier, complete with their original file permissions, which overwrote the permission changes I had made to enable the Grid Control agent to monitor some of the OC4J components. Good thing I keep that list of chmod commands in an easy-to-find reference location. [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*