2. Get Started
  3. Prerequisites
  4. Compliance Framework (Oracle Orachk and Oracle Exachk) Prerequisites

2.4.1 Compliance Framework (Oracle Orachk and Oracle Exachk) Prerequisites

Review the list of prerequisites to run Oracle Orachk and Oracle Exachk.

Parent topic: Prerequisites

2.4.1.1 Storage Servers that are Configured to Deny SSH Access

The following discussion applies to any Oracle engineered system that uses Oracle Exadata storage servers.

Optionally, you can prevent SSH access, also known as locking or locked. All Oracle Exachk functions involving locked storage servers are run with standard exacli commands from the database server upon which Oracle Exachk is launched. To temporarily unlock the storage servers that Oracle Exachk finds locked, provide the user name and credentials that you specified when configuring exacli to lock/unlock storage servers.

See Configuring Security for Oracle Exadata System Software in the Exadata System Software User's Guide.

Oracle Exachk does not operate upon the storage server attribute accessLevelPerm. If you have set that attribute to remoteLoginDisabled before an Oracle Exachk run, then it will remain unchanged during and after the Oracle Exachk run.

Oracle Exachk operates only upon the storage server attribute accessLevelTemp. For example, starting with the storage servers locked with remoteLoginDisabled:
ssh randomceladm01
ssh: connect to host randomceladm01 port 22: Connection refused

ssh randomceladm02
ssh: connect to host randomceladm02 port 22: Connection refused

ssh randomceladm03
ssh: connect to host randomceladm03 port 22: Connection refused

exachk -unlockcells all
Enter exacli user name: celluser
Is EXACLI password same on all Storage Servers?[y/n][y] y
Enter password for EXACLI user celluser to unlock Storage Server 192.168.178.225:
.  .  .  .  .  .  .  .  .  .  . 
Storage cell 192.168.178.225 successfully unlocked
Storage cell 192.168.178.226 successfully unlocked
Storage cell 192.168.178.227 successfully unlocked

ssh randomceladm03
Last login: Tue Mar  6 12:32:36 2018 from randomadm01.us.oracle.com

ssh randomceladm02
Last login: Tue Mar  6 12:32:09 2018 from randomadm01.us.oracle.com

ssh randomceladm01
Last login: Tue Mar  6 12:18:57 2018 from randomadm01.us.oracle.com

exacli -c celluser@randomceladm01
Password: ************
exacli celluser@randomceladm01> list cell attributes accessLevelPerm,accessLevelTemp
remoteLoginDisabled ((accesslevel=remoteLoginEnabled,starttime=2018-03-06T13:49:15-08:00,
endtime=2018-03-06T14:39:15-08:00,duration=50m,reason=Running Exachk))

As can be seen from the example, Oracle EXAchk implements a temporary window 
with a default expiration time of 50 minutes, to cover the period that Oracle EXAchk 
may be executing on the storage server.  
In normal operation, this temporary window is closed with "-lockcells" during the exachk cleanup routine.  
If exachk is blocked from the cleanup routine, say because of "kill -9", 
the temporary window will expire in it's own good time.

The following example shows the typical Oracle EXAchk execution sequence starting with the storage servers locked.  
You can see by the commands at the end that "remoteLoginDisabled" is still set and there is no temporary window:

exachk -c X4-2 -profile storage
...
...
Copying plug-ins
. .
Enter exacli user name: celluser
Is EXACLI password same on all Storage Servers?[y/n][y]
Enter password for EXACLI user celluser to unlock Storage Server 192.168.178.225:
.  .  .  .  .  .  .  .  .  .  .  .  . 
Node randomcel01 is configured for ssh user equivalency for root user
Node randomcel02 is configured for ssh user equivalency for root user
Node randomcel03 is configured for ssh user equivalency for root user
.  .  .  .  .  .  .  .  .  .  .  .  .
...
...
Starting to run root privileged commands in background on STORAGE SERVER randomcel01 (192.168.178.225)
Starting to run root privileged commands in background on STORAGE SERVER randomcel02 (192.168.178.226)
Starting to run root privileged commands in background on STORAGE SERVER randomcel03 (192.168.178.227)
Collections from STORAGE SERVER:
------------------------------------------------------------
Collecting - Exadata Critical Issue EX10
...
...
Detailed report (html) -  /root/vern_wagman/exachk_122014/production/lock_doc/exachk_randomclient01_030618_140319/exachk_randomclient01_030618_140319.html
UPLOAD [if required] - /root/vern_wagman/exachk_122014/production/lock_doc/exachk_randomclient01_030618_140319.zip

ssh randomceladm01
ssh: connect to host randomceladm01 port 22: Connection refused

exacli -c celluser@randomceladm01
Password: ************
exacli celluser@randomceladm01> list cell attributes accessLevelPerm,accessLevelTemp
         remoteLoginDisabled

Parent topic: Compliance Framework (Oracle Orachk and Oracle Exachk) Prerequisites

2.4.1.2 Running Oracle Exachk on Oracle Exadata and Zero Data Loss Recovery Appliance

Review the list of additional prerequisites for running Oracle Exachk on Oracle Exadata and Zero Data Loss Recovery Appliance.

Related Topics

Parent topic: Compliance Framework (Oracle Orachk and Oracle Exachk) Prerequisites

2.4.1.2.1 Storage Servers

On the database, if you configure passwordless SSH equivalency for the user that launched Oracle Autonomous Health Framework to the root  user on each storage server, then Oracle Autonomous Health Framework uses SSH equivalency credentials to complete the storage server checks.

You can run Oracle Autonomous Health Framework from the Oracle Exadata storage server, if there is no SSH connectivity from the database to the storage server.

To lock and unlock cells, use the –unlockcells and –lockcells options for Oracle Exadata and Zero Data Loss Recovery Appliance.
exachk -unlockcells all | -cells [comma-delimited list of cell names or cell IPs]
exachk -lockcells all | -cells [comma-delimited list of cell names or cell IPs]

Once the cells have been unlocked, if they are not locked again within the default timeout of 50 minutes, then they will be automatically locked again. You can adjust the timeout period using the RAT_CELLUNLOCK_TIMEOUT environment variable.

For example to change the timeout to 2 hours:

export RAT_CELLUNLOCK_TIMEOUT=120m
exachk -unlockcells all

Parent topic: Running Oracle Exachk on Oracle Exadata and Zero Data Loss Recovery Appliance

2.4.1.2.2 InfiniBand Switches

On the database, if you configure passwordless SSH equivalency for the user that launched Oracle Autonomous Health Framework to the nm2user user on each InfiniBand switch, then Oracle Autonomous Health Framework uses SSH equivalency credentials to complete the InfiniBand switch checks.

If you have not configured passwordless SSH equivalency, then Oracle Autonomous Health Framework prompts you for the nm2user user password on each of the InfiniBand switches.

Parent topic: Running Oracle Exachk on Oracle Exadata and Zero Data Loss Recovery Appliance

2.4.1.3 Running Oracle Autonomous Health Framework in Non-English Environments

Set globalization environment variables to run Oracle Autonomous Health Framework in non-English environments.

Oracle Autonomous Health Framework supports only English language. However, you can run Oracle Autonomous Health Framework by setting the globalization environment variables.
  1. To run Oracle Autonomous Health Framework in a non-English environment, set the environment variable NLS_LANG to AMERICAN_AMERICA.[NLS_CHARACTERSET].

    For example:

    export NLS_LANG=AMERICAN_AMERICA.JA16SJISTILDE

    For more information on setting globalization environment variables, see Setting Up a Globalization Support Environment in the Oracle Database Globalization Support Guide.

Related Topics

Parent topic: Compliance Framework (Oracle Orachk and Oracle Exachk) Prerequisites