ORAchk & EXAchk

Oracle
ORAchk & EXAchk

Oracle Stack Health Checks
Version 12.2.0.1.3
Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 2

Agenda
1 Features Common to both ORAchk & EXAchk
2 ORAchk Specific
3 EXAchk on Exadata
4 EXAchk on Exalogic
5 EXAchk on SuperCluster / MiniCluster
6 EXAchk on Exalytics
7 EXAchk on Big Data
Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Why Oracle ORAchk & EXAchk
Automatic proactive warning Health checks for most impactful Runs in your environment
of problems before they reoccurring problems with no need to send
impact you anything to Oracle
Get scheduled health reports Findings can be integrated

sent to you in email Engineered into other tools of choice
EXAchk
Systems
Common Framework
Non
Engineered ORAchk
Systems

Development Methodology
Release cycles are targeted to 90 days, with Beta made available
approximately two weeks before production
o Interim releases may be released sooner if significant new checks are
added before scheduled release
o Also timed to coincide with major software releases and / or hardware
changes
Maintains backward compatibility
Continuous improvement from:
o Enhancement requests / feedback from customers
o Exadata MAA Best Practices team
o Critical Issues discovery
o Internal testing, proofs of concepts & Support partners
Oracle Stack Coverage
Oracle Engineered Systems Oracle Database Oracle E-Business Suite
Oracle Database Appliance Standalone Database Oracle Payables
o Oracle Exadata Database Machine Grid Infrastructure & RAC Oracle Workflow
o Oracle SuperCluster / MiniCluster Maximum Availability Architecture (MAA) Oracle Purchasing
Scorecard Oracle Order Management
o Oracle Private Cloud Appliance
Upgrade Readiness Validation Oracle Process Manufacturing
o Oracle Big Data Appliance
Golden Gate Oracle Receivables
o Oracle Exalogic Elastic Cloud Oracle Restart Oracle Fixed Assets
o Oracle Exalytics In-Memory Machine Oracle Enterprise Manager Cloud Control Oracle HCM
o Oracle Zero Data Loss Recovery Appliance Repository Oracle CRM
Oracle ASR Agent Oracle Project Billing
OMS Oracle Siebel
Oracle Systems
Oracle Solaris Oracle Middleware Database best practices
Cross stack checks Application Continuity Oracle PeopleSoft
Oracle Identify and Access Management Database best practices
Solaris Cluster
Suite (Oracle IAM)
OVN Oracle SAP
EXAdata best practices

Architecture Options
Many Instances One Instance One Instance One Instance
ORAchk / EXAchk Collection Manager Enterprise Manager ELK Stack
Health SQL
Checks Results Oracle Oracle Elastic
Database Database Search
View enterprise wide View enterprise wide View enterprise wide

results via Collection results via Enterprise results via Kibana
Run Manager interface Manager interface dashboards
Checks
HTML XML
Results Results
Email JSON
Notification Results

Supported Environments
ORAchk EXAchk
Operating System Versions Supported All Oracle Engineered Systems
Linux / zLinux Oracle Linux/RedHat 4, Apart from ODA, which uses ORAchk
5, 6, 7
SuSE 9,10, 11, 12
Oracle Solaris SPARC / x86-64 9, 10, 11
AIX 5.2, 5.3, 6.1, 7.1, 7.2
HPUX Itanium / PA-RISC 11.23, 11.31
Microsoft Windows (with 2008, 2012
cygwin)

Installation
If Oracle Clusterware is installed If Oracle Clusterware is not installed
1. Download latest version 1. Download latest version
ORAchk : 1268927.2 ORAchk : 1268927.2
EXAchk : 1070954.1 EXAchk : 1070954.1
2. Copy the zip file to the installation 2. Copy the zip file to the installation
system and extract: system and extract:
EXAchk: EXAchk:
in /opt/oracle.SupportTools/exachk as the in /opt/oracle.SupportTools/exachk as the
Oracle Grid Infrastructure home owner root user
ORAchk: ORAchk:
in CRS_HOME/suptools/orachk as the in a convenient location as Oracle software
Oracle Grid Infrastructure home owner install user or Oracle Database home owner

Which User to Run as
Run as root (recommended) Run as RDBMS or GRID Home Owner
o ORAchk/EXAchk will su to lower privileged o User must be able to switch to root for root level
owners of RDBMS or grid homes checks several options:
o To specify a user other that root for these 1. Provide the root userid password at prompts
situations: or
Connect via Change User By 2. Set up sudo
SSH & Default User exporting user id in this
or
Run Checks on Environment Variable
Exadata Storage
root RAT_CELL_SSH_USER
3. Pre-configure passwordless SSH connectivity
Server
root
(when run as root)
InfiniBand
nm2user RAT_IBSWITCH_USER
switches (when run as other user) Note:
On SuperCluster you can use Role Based Access Control (RBAC) to
execute root privileged checks, no root user required.
Note: You may only choose from the provided lower privileged account root checks must be run as a user with a root equivalent access role
On Exalogic it is only supported to run as root

Maintaining
Option 1 With internet connection Option 2 No internet connection
o When older than 120 days it will prompt you to let it a) Download the latest version to a shared network
automatically download newer version from My staging location
Oracle Support b) Set environment variable RAT_UPGRADE_LOC:
o Can also be specifically triggered with: export RAT_UPGRADE_LOC=<staging dir>
-download c) Next time started it will prompt to allow it to
upgrade itself

Recommended Usage Automated Risk Notification
1) Schedule to run in daemon mode weekly or daily and
email report
2) Identify actions easily by viewing automated

comparison of previous runs
3) Act on recommendations

Schedule
-set AUTORUN_SCHEDULE=3 * * * ;NOTIFICATION_EMAIL=SOME.BODY@COMPANY.COM
-d start
Day of month (1 31) Day of week (0 6)

(0 to 6 are Sunday to Saturday)
AUTORUN_SCHEDULE = ? ? ? ?
Hour (0 23) Month (1 12)
example: -set 'AUTORUN_SCHEDULE=8,20 * * 2,5' will schedule runs on Tuesday and Friday at 08:00 & 20:00

Email Notification
First email will contain the HTML report

View Report
Health score
Summary of run
Table of content
Controls for report features
Findings
Recommendations

View Report
Table of content
Controls for report features
Checks which passed are not shown by default
Quickly show or hide checks based on their
status
Show or hide major sections of the report
Collapse or expand check findings
Show check Ids
Remove the findings from the report This
doesnt change the report but optionally hides
findings on a check by check basis
Display a printable view

View Findings
Check status
Type of Check
Check Message
Where the check was run
Link to expand details

View Recommendations
What to do to solve the problem

Links to relevant Knowledge docs
Where recommendation applies
Where problem doesnt apply
Example of data the
recommendation is based on

Review MAA Score Card
Critical Issues in MAA Scorecard

o All issues reported in SOFTWARE
MAINTENANCE BEST PRACTICES
Software version mapping table
Installed software versions checked

for noncurrent or incompatible
feature usage

Email Notification
Subsequent emails compare results to

previous run
Easily see if something has changed
Email attachment has:
o Latest report
o Previous report
o Diff Report

Diff Output
Diff overview
Summary of this run vs previous

Diff Output
Differences between each run

Other Recommended Usage
Upgrade or Patching Other typical times to run ORAchk
o Detects all databases registered in the o Machine moves
clusterware automatically o Hardware failure / repair
o Presents list of databases to check o Problem troubleshooting
o Pre Upgrade o In addition to go-live testing
Run during upgrade planning phase
Asks which version you plan to upgrade to
-u o pre
o Post Upgrade
Run after upgrade
-u o post

Automated Usage with the Daemon

Set Daemon Options, When, What & Who to Tell
set <option_1>=<option_1_value>;<option_2>=<option_2_value>;<option_n>=<option_n_value>
AUTORUN_SCHEDULE AUTORUN_FLAGS
Schedule when orachk will be run Command line options to be passed through to orachk run
Hour, day of month, month of year & day of week
Comma separate multiple values for same timeframe set AUTORUN_FLAGS=-profile dba tag dba
* Wildcard
Day of month (1 31) Day of week (0 6)
(0 to 6 are Sunday to Saturday)
? ? ? ?
Hour (0 23) Month (1 12)
NOTIFICATION_EMAIL
set AUTORUN_SCHEDULE=2 * * 1,3,5
Comma separated list of emails to send daemon notifications to
set NOTIFICATION_EMAIL=some.person@acompany.com,another.person@acompany.com

Set Daemon Options, Maintenance
set <option_1>=<option_1_value>;<option_2>=<option_2_value>;<option_n>=<option_n_value>
COLLECTION_RETENTION
Number of days to keep files created by scheduled run, files older than this will be deleted
set COLLECTION_RETENTION=30
PASSWORD_CHECK_INTERVAL
Frequency in hours of password validation
When found invalid daemon stops & notifies via log & email
set PASSWORD_CHECK_INTERVAL=48

Set Daemon Options, Multiple IDs
Only one Daemon process should be used across a database cluster
o Multiple daemon profiles can be configured using IDs
o Allows for multiple different types of orachk runs
id <ID> set <option>=<value>

Get Daemon Option
Find a specific daemon option which has been set
Use with or without ID
Get value of particular option for specific id Get value of particular option for all IDs
id <ID> get <option> get <option>

Get All Daemon Options
Find any Daemon options which have been set
Used with or without ID
Get value of all options for specific id Get value of all options for all IDs
id <ID> get all get all

Start Daemon
d start
1. Start the daemon

2. Follow the prompts

Daemon Information
Check if the daemon is running: Get more detailed information about the daemon
d status d info

Daemon Next Autorun
Find when the next auto run will happen: Find when the next auto run will happen for a specific ID
d nextautorun id <id> d nextautorun

Daemon Stopping
Stop an orachk run mid-flow: Stop the daemon
d stop_client d stop

Auto Restart Daemon
Restart daemon if
machine restarts
o Uses passwordless ssh
user equivalence to root
initsetup

Auto Restart Daemon, Check Status & Remove Auto Restart
Restart status of daemon can be queried: If you want to remove restart settings:
initcheck initrmsetup

With or Without the Daemon
When daemon is running, if orachk is run in on-demand mode it will
connect to the daemon by default and make use of pre-provided prompt
values
o To avoid connecting to the daemon use nodaemon:
nodaemon
o To only run orachk when the daemon is running use daemon:

daemon

Email Notifications
Run in ad hoc mode and receive html report via email
-sendemail "NOTIFICATION_EMAIL=abc@company.com,xyz@company.com"
Verify email configuration function

-testemail "NOTIFICATION_EMAIL=abc@company.com,xyz@company.com"
Use testemail all to use email addresses stored in daemon configuration

-testemail all
If the Exadata storage cells are unable to send email use usecompute, which will
send the email from the database server instead:
-testemail "NOTIFICATION_EMAIL=some.person@acompany.com" -usecompute
or
-sendemail "NOTIFICATION_EMAIL=some.person@acompany.com" -usecompute

Additional Capabilities & Features

Health Check Catalog
Bundled within .zip download
ORAchk_Health_Check_Catalog.html
EXAchk_Health_Check_Catalog.html
Contains all published checks
Filterable & searchable
Product Area / Engineered System
Profiles
Alert Level
Release Check Authored
Platforms
Privileged User
Look up check id without running report

Database Checks
Checks run against all database nodes in the cluster by default
o To specify only a subset of nodes use: clusternodes <node_1>,<node_2>
o Only local node: localonly
Automatically discovers all databases and prompts for which should be checked
o Do not prompt but run all checks on all discovered database: dball
o Do not prompt and skip all database related checks: dbnone
o Only run checks against a subset of databases: dbnames <db_1>,<db_2>

Output
EXAchk & ORAchk will output the collection results to the directory it is run from
Unless run from $ORACLE_HOME/suptools/orachk then output goes to $ORACLE_BASE/orachk
oOutput can be directed to a different directory with output

output <OUTPUT_DIR>
Output will be directory and a zip of the same name

Output Descriptions
log : various log files
outfiles : collection results checks are based on
reports : subreports used to build the main report
scripts : scripts used during collection
upload : files for upload of collection into database or integration into other tools
orachk_*.html Main HTML report output
exachk_*.html

Temporary Working Directory
Temporary files will be created during execution
Default location is $HOME
Location can be changed by setting RAT_TMPDIR export RAT_TMPDIR=<TEMP_DIR>
If using sudo access to root from a lower privileged user id, temporary directory must be
reflected in /etc/sudoers file
<user> ALL=(root) NOPASSWD:<TEMPDIR>/.[orachk|exachk]/root_[orachk|exachk].sh
oracle ALL=(root) NOPASSWD:/tmp/.orachk/root_orachk.sh
Root privilege checks run from root_orachk.sh or root_exachk.sh

If you want the root script in a different directory to RAT_TMPDIR use: RAT_ROOT_SH_DIR
export RAT_ROOT_SH_DIR=/mylocation
oracle ALL=(root) NOPASSWD:/mylocation/root_exachk.sh

Parallel Execution
Database collections are executed in parallel
The default number of slave processes used is calculated automatically
Default can be changed with dbparallel <# slave processes> or -dbparallelmax
dbparallel <# slave processes> dbparallelmax
Parallel execution can be disabled altogether if required with -dbserial

dbserial

Tagging, Merging & Comparing Reports
Collections are typically of the format:
[orachk|exachk]_<dbserver>_<database>_<date>_<timestamp>.html
Tag collections so output contains another word to help differentiate it:

tag <tag_name> [orachk|exachk]_<dbserver>_<database>_<date>_<timestamp>_<tag_name>.html
Merge multiple reports into one with merge and list of collection directories or zip
files: merge <collection_1>,<collection_2>
Compare collections with diff: diff <collection_1>,<collection_2>

Profiles
Profiles provide logical grouping of checks which are about similar topics
Run only checks in a specific profile
profile <profile>
Run everything except checks in a specific profile

excludeprofile <profile>

Run or exclude individual checks
Granular control to execute or exclude a single check
Ideal for testing new checks or troubleshooting
Run only specific check(s): -check <check_id_1>,<check_id_2>
Exclude a specific check: excludecheck <check_id_1>,<check_id_2>
Find check id either from report or Health Check Catalog

Keep Track of Changes to the Attributes of Important Files
Track changes to the attributes of important files with fileattr
Looks at all files & directories within Grid Infrastructure and Database homes by default
The list of monitored directories and their contents can be configured to your specific requirements
Use fileattr start to start the first snapshot ./orachk fileattr start
$ ./orachk -fileattr start

CRS stack is running and CRS_HOME is not set. Do you want to set CRS_HOME to
/u01/app/11.2.0.4/grid?[y/n][y]
Checking ssh user equivalency settings on all nodes in cluster
Node mysrv22 is configured for ssh user equivalency for oradb user
Node mysrv23 is configured for ssh user equivalency for oradb user
List of directories(recursive) for checking file attributes:
/u01/app/oradb/product/11.2.0/dbhome_11203
/u01/app/oradb/product/11.2.0/dbhome_11204
orachk has taken snapshot of file attributes for above directories at:
/orahome/oradb/orachk/orachk_mysrv21_20170504_041214

Include other directories with includedir <directories> using a comma separated list of directories
./orachk fileattr start includedir /home/oradb,/etc/oatab
Exclude the default discovered directories with excludediscovery

./orachk fileattr start includedir /home/oradb,/etc/oatab -excludediscovery

Compare current attributes against first snapshot using fileattr check
./orachk fileattr check
$ ./orachk -fileattr check -includedir "/root/myapp/config" -excludediscovery
CRS stack is running and CRS_HOME is not set. Do you want to set CRS_HOME to
/u01/app/12.2.0/grid?[y/n][y]
Checking for prompts on myserver18 for oragrid user...
Checking ssh user equivalency settings on all nodes in cluster
Node myserver17 is configured for ssh user equivalency for root user
List of directories(recursive) for checking file attributes:
Results of snapshot comparison will also
/root/myapp/config be shown in the HTML report output
Checking file attribute changes...
.
"/root/myapp/config/myappconfig.xml" is different:
Baseline : 0644 oracle root /root/myapp/config/myappconfig.xml
Current : 0644 root root /root/myapp/config/myappconfig.xml
etc
etc
Note:
Use the same arguments with check that you used with start
Will proceed to perform standard health checks after attribute checking
File Attribute Changes will also show in HTML report output

To prevent standard health checking after attribute checking add fileattronly:
fileattr check fileattronly
To use a different snapshot baseline use baseline:

-fileattr check -baseline <snapshot>
To remove all snapshot use fileattr remove

-fileattr remove

Oracle Collection Manager

Oracle Health Check Collection Manager Dashboard

Dashboard Filters
Filter by
Filter by configurable
Interval business units Filter by Filter by
systems health score
Click on color coded

area to drill down

Most Failures & Warnings
Click to see the

recommendation details

Most Failures
Click to drill into

failures

Most Warnings
Click to drill into
warnings

Recent Collections
Health
Score Warning count
Fail count Info count Pass count
Ignore count
No difference OR No regression
failed in current collection
At least one regression from
Non-WARNING to WARNING OR
Found WARNING regression in
current collection
At least one regression from
Non-FAIL to FAIL OR Found FAIL
regression in current collection
Non clickable green flag -
Preceding collection not found

View Collection
Collection
Link

View Collection
Recommendation

User Defined Checks
Use as a Health Checking Platform
You write your own business
specific User Defined Checks
Collection Manager authoring UI
very similar to Oracles internal
authoring tool
OS or SQL logic
Generates user_defined_checks.xml
sample in install directory
Utilizes framework features such as
result output, email notification,
CM storage etc
User Defined Checks
Have their own profile:
user_defined_checks
Can be run on their own:

-profile user_defined_checks
Can be excluded:
-excludeprofile user_defined_checks
Have their own section of the report

Setup
1. First time installation done via the APEX Collection Manager upgrade done from
workspace (either APEX 4.2 or 5.x) orachk / exachk:
2. Use the sql script applicable for your -cmupgrade
APEX version:
Will determine the APEX version you
APEX 4.2: CollectionManager_App.sql
have and install the latest applicable
APEX 5.x: Apex5_CollectionManager_App.sql
Collection Manager app
3. Follow Health Check Collection Manager
If the Collection Manager schema
installation in the User Guide
changes in the future then ORAchk will
4. Login to Collection Manager Application prompt for auto upgrade
via a URL like the following:
http://hostname:port/apex/f?p=ApplicationID Note: APEX 4.2 version of CM app exists for backwards compatibility.
http://hostname:port/pls/apex/f?p=ApplicationID New features will only go into the APEX 5 Collection Manager app

Collection Storage Table
Collection zip files are stored in the RCA13_DOCS
table - already created during collection manager
installation
Provide ORAchk details of where to upload
collection results with setdbupload all and
complete prompts:
-setdbupload all
Get current values with -getdbupload:

-getdbupload
Unset values with unsetdbupload <parameter>:

unsetdbupload RAT_UPLOAD_PASSWORD

Store DB Upload Variables in Wallet
Set all with:
-setdbupload all
Set specific variables by specifying comma separated list:

-setdbupload RAT_UPLOAD_CONNECT_STRING,RAT_UPLOAD_PASSWORD
Unset all with Other Upload Parameters Not Set Description

-unsetdbupload all by default
RAT_UPLOAD_USER The user to connect as (default is ORACHKCM)
Check if variables are set correctly: RAT_UPLOAD_TABLE The table name to store non-zipped collection
results
-checkdbupload
RAT_PATCH_UPLOAD_TABLE The table name to store non-zipped patch results
RAT_UPLOAD_ORACLE_HOME The ORACLE_HOME used during establishing
connection and uploading.
(Uses GI HOME discovered by ORAchk by default)
RAT_UPLOAD_TABLE & Only needed if you are using your own custom
RAT_PATCH_UPLOAD_TABLE application to view collection results, rather than
Collection Manager.

Integrating With
Oracle Enterprise Manager Cloud Control 13.1+

Enterprise Manager Integration
Related checks grouped into View targets checked, violations &

compliance standards average score
Check results integrated into EM

compliance framework via plugin
View results in native EM
compliance dashboards
Drill down into compliance standard View break down by target
to see individual check results

Setting Up Enterprise Manager Plugin
The plugin is already installed by default with Enterprise Manager 13.1+
1. Deploy the plugin using the Enterprise Manager Plugin Deployment feature
2. Provision the plugin to setup the daemon

Provision
Use Enterprise Manager provisioning After selected this will launch the
feature and select ORAchk/EXAchk provisioning wizard, choose the system
type

Provision
Provide new or select existing
credentials
Specify install location
Select when daemon should be run

Provision
Verify CRS Home
Finally choose Cell & InfiniBand
configuration

View Results by Compliance Standard
Drill into applicable standard and view
individual checks & target status
Filter by Exachk%
Click individual checks for

recommendation details

Integrating With 3rd Party Tools

JSON Output to Integrate with Kibana, Elastic Search etc
The JSON provides many tags to
allow dashboard filtering based on
facts such as:
Engineered System type
Engineered System version
Hardware type
Node name
OS version
Rack identifier
Rack type
Database version
And more...
Kibana can be used to view health
check compliance across your data
center
Results can also be filtered based
on any combination of exposed
system attributes

JSON Result Output
Results are also output in JSON Writing JSON Results With syslog
format in the upload directory of 1. JSON output results can be sent to the
syslogd Daemon with syslog option e.g.:
the collection
set AUTORUN_FLAGS=-syslog
2. Message levels used of crit, err, warn

and info
3. You can verify syslog configuration by
running the following commands:
4. Then verify in your configured message

location (e.g. /var/adm/messages) that each
test message was written

Integrating With Your Own Application

Configure Details for Upload of Collection Results
If you dont use Collection Manager and have your own application which consumes the results
1. Create the tables: auditcheck_result, auditcheck_patch_result & RCA13_DOCS
2. Set default parameters: setdbupload all
This will prompt you for and set the RAT_UPLOAD_CONNECT_STRING & RAT_UPLOAD_PASSWORD
3. Set optional parameters for RAT_UPLOAD_TABLE & RAT_PATCH_UPLOAD_TABLE
-setdbupload RAT_UPLOAD_TABLE,RAT_PATCH_UPLOAD_TABLE
Other Upload Parameters Not Set by default Description

RAT_UPLOAD_USER The user to connect as (default is ORACHKCM)
RAT_UPLOAD_TABLE The table name to store non-zipped collection results
RAT_PATCH_UPLOAD_TABLE The table name to store non-zipped patch results
RAT_UPLOAD_ORACLE_HOME The ORACLE_HOME used during establishing connection and
uploading.
(Uses GI HOME discovered by ORAchk by default)
RAT_UPLOAD_TABLE & Only needed if you are using your own custom application to view
RAT_PATCH_UPLOAD_TABLE collection results, rather than Collection Manager.

Troubleshooting

Troubleshooting Performance
View Component Elapsed Times View top 10 Time Consuming Checks
o Identify if one particular component is slow o If some in particular are slow, show check_id
and run again with:
excludecheck <check_id>
Try increasing the number of parallel

slave processes (Note: will increase resource usage)
dbparallelmax

Troubleshooting Timeouts
If checks are being killed this will be due EBS checks query application data which
to timeout: can vary hugely in size depending on the
size of your data
o If you suspect EBS checks try excluding
EBS profile:
Timeouts can be caused by slow checks or
interactive prompts excludeprofile ebs
Try increasing default times with applicable o Use RAT_TIMEOUT to increase to a

environment variables:
value where they are no longer killed
Default Value
Environment Variable Timeout Controlled
(seconds)
non-root individual
RAT_TIMEOUT 90
commands
root userid command
RAT_ROOT_TIMEOUT 300
sets
ssh login DNS
RAT_PASSWORDCHECK_TIMEOUT 1
handshake

Collecting Debug
Debugging via Daemon Debugging on-demand runs
d start_debug debug
Debug output:

Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Maintaining ORAchk
Option 3 Applied with PSU
o Each database PSU contains the latest ORAchk version available at time of creation
o When a database PSU is applied the ORAchk zip version contained will be staged in
$ORACLE_HOME/suptools
o The next run of ORAchk it will prompt you to upgrade if the version copied by the PSU
is newer than installed Just like option 2

Application Continuity

Concrete Classes
ORAchk helps ensure that your application is covered by Oracle Application

Continuity
Identifies any references to deprecated JDNVC concrete classes that need to be
changed
Analyzes the database operations in the application
Reports the level of protection, and where applications are not protected
Command-Line Argument Shell Environment Usage
In places where applications are not protected, ORAchk reports why
Variable
asmhome jarfilename RAT_AC_ASMJAR Point to a version of asm-all-5.0.3.jar that you download from http://asm.ow2.org/
-javahome JDK8dirname RAT_JAVA_HOME Point to the JAVA_HOME directory for a JDK8 installation
-appjar dirname RAT_AC_JARDIR Point to the parent directory name for the code. Will analyze .class files, and recursively .jar files
and directories.

Concrete Classes

Measure Coverage
1. Turn on tracing at either a session level or database level
To enable for a single application function, run as follows (put this in the callback or before beginRequest so replay is not disabled by setting
events): alter session set events 'trace [progint_appcont_rdbms]';
To enable for all session run: alter system set event='trace[progint_appcont_rdbms]' scope = spfile;
2. Run through the application functions. To report on an application function, it needs to have executed. The more application
functions run, the better the information that the coverage analysis provides.
3. Use ORAchk to analyze the collected database traces and report the level of protection, and where not protected, report why
Command-Line Argument Shell Environment Usage
Variable
asmhome jarfilename RAT_AC_ASMJAR Point to a version of asm-all-5.0.3.jar that you download from http://asm.ow2.org/
-javahome JDK8dirname RAT_JAVA_HOME Point to the JAVA_HOME directory for a JDK8 installation
-apptrc dirname RAT_AC_TRCDIR Directory name containing one or more database server trace files. The trace directory is
generally: $ORACLE_BASE/diag/rdbms/{DB_UNIQUE_NAME}/$ORACLE_SID/trace

Measure Coverage Produces a directory named:
orachk_uname_date_time
Reports coverage and lists
trace files that have
WARNINGS or FAIL status
./orachk -asmhome /tmp/asm-all-5.0.3.jar

-javahome /tmp/jdk1.8.0_40
-apptrc $ORACLE_BASE/diag/rdbms/$ORACLE_SID/trace 3
Example output found in orachk_.....html#acchk_scorecard

ORAchk IAM

ORAchk IAM
Supported Platforms & Databases Supported Components & Topologies
Operating System Database Components
Linux (Oracle Enterprise Linux/RedHat 5, 6, 7 10g R1 Oracle Identity Manager (11.1.2.2.x and 11.1.2.3.x)
and SuSE 9,10, 11, 12) Oracle Access Manager (11.1.2.2.x and 11.1.2.3.x)
Linux on System Z (RedHat 6, 7 and SuSE 12) 11g R1 Oracle Unified Directory (11.1.2.2.x and 11.1.2.3.x)
11g R2
12c Topologies
12c R2 Oracle Identity Manager in single node as well as in multi-node
setups
Health checks run on Oracle Unified Directory (OUD) only.

Oracle Access Manager + (Any directory)* in single node as
well as in multi-node setups
If other directories are there as well, then ORAchk will skip those directories and
perform health checks on Oracle Access Manager.
Oracle Identity Manager + Oracle Access Manager + (Any
Oracle Access Manager configured in embedded LDAP mode is not supported directory)* in single node as well as in multi-node setups

ORAchk IAM
Installation Usage
1. Download latest ORAchk IAM version 1. Set the environment variable to run the health checks
based on a specific deployment size
from 1268927.2
Deployment Size Directory User Size
2. Copy the orachk_idm.zip file to the small Close to 100 K
WebLogic Admin system and extract medium Close to 1 million

large Close to 15 million
3. Ensure JDK 6 or later is set in the extralarge Close to 250 million
system path or set RAT_JAVA_HOME export RAT_IDM_DEPLOYMENT_SIZE=small
2. Run : ./orachk
If the oraInst.loc file is not in the default directory then specify the 3. If database is running on a remote server, then extract
oraInventory directory using the RAC_INV_LOCAL environment variable.
For example: orachk_IAM.zip there
export RAT_INV_LOC=/scratch/shared/oracle/oraInventory
4. Run : ./orachk -idmdbruntime

ORAchk IAM - Options
Option Description Option Description
-idm h Displays IDM help -idmpdbostinstall Runs post-install database checks on
Identity Management System
-idmpreinstall Runs all pre-install checks on Identity
Management System -idmdbruntime Runs runtime database checks on Identity
Management System
-idmpostinstall Runs all post-install checks on Identity
Management System -idm_config Passes OAM, OIM, and one of the OUD host
from clusters
-idmruntime Runs all runtime checks on Identity
Management System -Idmdiscargs Passes arguments to Identity Management
Discovery Tool
- Runs pre-install database checks on Identity
idmdbpreinstall Management System -idmhcargs Passes arguments to Identity Management
Healthcheck Tool
Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

ZFS Storage Appliance

ZFS Storage Appliance
To run on one ZFS appliance use the -zfssa option:

./orachk -zfssa
For multiple ZFS appliances specify a comma-delimited list:

./orachk -zfssa node1,node2

Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Checks for Cells & Switches
Run on a subset of cells using cells
./exachk cells <cell_1>,<cell_2>
Run on a subset of switches using -ibswitches

./exachk ibswitches <switch_1>,<switch_2>

Virtualization
1. Run from dom0 on first compute to cover all dom0s, cells and switches
o Install EXAchk into the management domain (DOM0) & run as root
o Will discover all compute nodes, storage servers and InfiniBand switches in the entire InfiniBand fabric
and run EXAchk on all
o If a single machine has been separated into multiple management domains
Use -clusternodes, -cells, -ibswitches to detail the components of the separate management domains
./exachk clusternodes <node_1>, <node_2> cells <cell_1>,<cell_2> ibswitches <switch_1>,<switch_2>
2. Run once on each virtual cluster

Profiles Profile
asm ASM Checks
Description
avdf Audit Vault Configuration checks

Profiles provide logical grouping of clusterware
control_VM
Oracle clusterware checks
Checks only for Control VM(ec1-vm, ovmm, db, pc1, pc2).
checks which are about similar topics No cross node checks
corroborate Exadata checks needs further review by user to determine
Run only checks in a specific profile pass or fail
dba DBA Checks
./exachk profile <profile> ebs Oracle E-Business Suite checks
eci_healthchecks Enterprise Cloud Infrastructure Healthchecks
Run everything except checks in a specific ecs_healthchecks Enterprise Cloud System Healthchecks
profile goldengate Oracle GoldenGate checks
hardware Hardware specific checks for Oracle Engineered systems
./exachk excludeprofile <profile> maa Maximum Availability Architecture Checks
ovn Oracle Virtual Networking
platinum Platinum certification checks
preinstall Pre-installation checks
prepatch Checks to execute before patching
security Security checks
solaris_cluster Solaris Cluster Checks
storage Oracle Storage Server Checks
switch Infiniband switch checks
sysadmin Sysadmin checks
user_defined_checks Run user defined checks from user_defined_checks.xml

Email Notifications
If the Exadata storage cells are unable to send email use usecompute, which will
send the email from the database server instead:
-testemail "NOTIFICATION_EMAIL=some.person@acompany.com" -usecompute
or
-sendemail "NOTIFICATION_EMAIL=some.person@acompany.com" -usecompute

Checks for Cells & Switches
Run on a subset of cells using cells
cells <cell_1>,<cell_2>
Run on a subset of switches using ibswitches

ibswitches <switch_1>,<switch_2>
Virtualization
1. Run from dom0 on first compute to cover all dom0s, cells and switches
o Install EXAchk into the management domain (DOM0) & run as root
o Will discover all compute nodes, storage servers and InfiniBand switches in the entire InfiniBand fabric
and run EXAchk on all
o If a single machine has been separated into multiple management domains
Use -clusternodes, -cells, -ibswitches to detail the components of the separate management domains
clusternodes <node_1>, <node_2> cells <cell_1>,<cell_2> ibswitches <switch_1>,<switch_2>
2. Run once on each virtual cluster
Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Agenda
2 ORAchk Specific
3 EXAchk on Exadata
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.

ORAchk &amp; EXAchk

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ORAchk &amp; EXAchk

Hochgeladen von

Copyright:

Verfügbare Formate

Oracle

ORAchk & EXAchk

Copyright 2017, Oracle and/or its affiliates. All rights reserved. |

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 2

Get scheduled health reports Findings can be integrated

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 5

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 7

View enterprise wide View enterprise wide View enterprise wide

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 8

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 9

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 10

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 11

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 12

2) Identify actions easily by viewing automated

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 13

Day of month (1 31) Day of week (0 6)

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 14

First email will contain the HTML report

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 15

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 16

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 17

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 18

What to do to solve the problem

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 19

Critical Issues in MAA Scorecard

Software version mapping table

Installed software versions checked

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 20

Subsequent emails compare results to

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 21

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 22

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 23

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 24

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 25

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 26

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 27

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 28

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 29

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 30

1. Start the daemon

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 31

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 32

d nextautorun id <id> d nextautorun

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 33

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 34

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 35

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 36

o To only run orachk when the daemon is running use daemon:

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 37

Verify email configuration function

Use testemail all to use email addresses stored in daemon configuration

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 38

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 39

Look up check id without running report

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 40

o Only local node: localonly

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 41

oOutput can be directed to a different directory with output

Output will be directory and a zip of the same name

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 42

oracle ALL=(root) NOPASSWD:/tmp/.orachk/root_orachk.sh

Root privilege checks run from root_orachk.sh or root_exachk.sh

oracle ALL=(root) NOPASSWD:/mylocation/root_exachk.sh

Copyright 2017, Oracle and/or its affiliates. All rights reserved. | 43

ORAchk & EXAchk

ORAchk & EXAchk