=====Oracle 21c / 23c - Das Rest API Interface des CMAN ( Oracle Connection Manager) aktivieren und aufrufen=====
**Aufgabe**
Nach der BasisInstallation und den der Konfiguration als SQL*Net Proxy (siehe [[dba:sqlnet_cman_connection_manager_21c|Oracle 21c - SQL*Net Proxy und Firewall mit dem Oracle Connection Manager CMAN implementieren - Einsatz als Standby DB Proxy für ältere Java Apps]] ) und [[dba:sqlnet_cman_connection_manager_tdm_21c|Oracle 21c -Der CMAN,Oracle Connection Manager, im Traffic Director Mode (TDM)]]soll für die Überwachung des CMAN das Rest Interface aktiviert werden.
=== Welche Rest Aufruf stehen in der API zur Verfügung? ===
Hier ein paar Bespiele für die Aufrufe, in der CMAM Doku ist das etwas schwach dokumentiert, aber in der SQL*Net Doku gibt es bei jeden CMAN Befehl auch einen Beispiel für den Aufruf => https://docs.oracle.com/en/database/oracle/oracle-database/23/netrf/oracle-connection-manager-control-utility.html#GUID-8AC28E1F-0D33-41FA-9BD8-B9DB8519E931
/show/all
{"Parameters":{"listener_address":"(DESCRIPTION=(address=(protocol=tcp)(host=cman21c.pipperr.local)(port=1999)))","aso_authentication_filter":"OFF","connection_statistics":"ON","event_group":"(init_and_term, memory_ops)","log_directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/alert","log_level":"ADMIN","max_connections":20,"idle_timeout":0,"inbound_connect_timeout":10,"session_timeout":0,"outbound_connect_timeout":0,"max_gateway_processes":16,"min_gateway_processes":2,"max_cmctl_sessions":4,"password":"OFF","remote_admin":"ON","trace_directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/trace","trace_level":"OFF","trace_timestamp":"OFF","trace_filelen":1000,"trace_fileno":1,"service_rate":0,"connection_rate":0,"max_all_connections":0,"max_reg_connections":0,"compression":"OFF","sdu":8192,"expire_time":0,"non_tunnel_gateways":1000,"enable_ip_forwarding":"ON","use_sid_as_service":"ON","valid_node_checking_registration":"ON"},"Rule_List":[{"rule":"(rule=(src=*)(dst=*)(srv=*)(act=accept)(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on)))"},{"rule":"(rule=(src=cman21c)(dst=127.0.0.1)(srv=cmon)(act=accept))"},{"rule":"(rule=(src=cman21c)(dst=*)(srv=cmon)(act=accept))"}]}
show/version
{"Version":"CMAN for Linux: Version 21.0.0.0.0 - Production","Error":"The command completed successfully."}
/show/status
{"Instance name":"cman_gpi","Version":"CMAN for Linux: Version 21.0.0.0.0 - Production","Start date":"08-NOV-2023 19:30:08","Uptime":"0 days 0 hr. 19 min. 16 sec","Num of gateways started":2,"Average Load level":0,"Log Level":"ADMIN","Trace Level":"OFF","Instance Config file":"/opt/oracle/product/21c/client_2/network/admin/cman.ora","Instance Log directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/alert","Instance Trace directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/trace","Error":"The command completed successfully."}
/show/defaults
{"listener_address":"(ADDRESS=(PROTOCOL=TCP)(HOST=cman21c)(PORT=1521))","aso_authentication_filter":"OFF","connection_statistics":"OFF","event_group":"OFF","log_directory":"/opt/oracle/product/21c/client_2/network/log/","log_level":"SUPPORT","max_connections":256,"idle_timeout":0,"inbound_connect_timeout":60,"session_timeout":0,"outbound_connect_timeout":0,"max_gateway_processes":16,"min_gateway_processes":2,"max_cmctl_sessions":4,"password":"OFF","remote_admin":"OFF","trace_directory":"/opt/oracle/product/21c/client_2/network/trace/","trace_level":"OFF","trace_timestamp":"OFF","trace_filelen":0,"trace_fileno":0,"Error":"The command completed successfully."}
/show/gateways
{"Gateways":[{"Gateway ID":0,"Gateway state":"READY","Number of active connections":0,"Peak active connections":0,"Total connections":0,"Total connections refused":0,"Received IN bytes":0,"Received OUT bytes":0,"Sent IN bytes":0,"Sent OUT bytes":0},{"Gateway ID":1,"Gateway state":"READY","Number of active connections":0,"Peak active connections":0,"Total connections":0,"Total connections refused":0,"Received IN bytes":0,"Received OUT bytes":0,"Sent IN bytes":0,"Sent OUT bytes":0}],"Summary":{"Total active cons":0,"Total peak active con":0,"Total Connections":0,"Total connections Refused":0,"Total Received IN bytes":0,"Total Received OUT bytes":0,"Total Sent IN bytes":0,"Total Sent OUT bytes":0}}
/show/rules
{"Rule_List":[{"rule":"(rule=(src=*)(dst=*)(srv=*)(act=accept)(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on)))"},{"rule":"(rule=(src=cman21c)(dst=127.0.0.1)(srv=cmon)(act=accept))"},{"rule":"(rule=(src=cman21c)(dst=*)(srv=cmon)(act=accept))"}],"Error":"The command completed successfully."}
Also mehr oder weniger das das mit **show** auch in der Commando Zeile abgefragt werden kann.
----
=== Ablauf ===
* Attribute **REST_ADDRESS=SERVER:PORT** in der cman.ora hinterlegen
* Wallet Attribut in der cman.ora hinterlegen
* Wallet anlegen
* SSL Zertifikat hinterlegen
* Autorisierung für den Zugriff auf die REST API hinterlegen
=== CMAN Konfiguration ===
Den Parameter **"REST_ADDRESS=hostname:port"** in der cman.ora und den Pfad zur Wallet hinterlegen:
cd $ORACLE_HOME/network/admin/
vi cman.ora
..
( REST_ADDRESS=cman21c:8000 )
..
wallet_location = (source = (method = file) (method_data = (directory="/opt/oracle/wallet/wallet-cman-tdm")))
In meinen Fall habe ich bereits eine Wallet, das heißt diese Wallet wird mit verwendet werden.
=== Wallet Konfiguration für den SSL Endpunkt===
Bei Bedarf eine neue anlegen:
$ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet/wallet-cman-tdm
Passwort merken!
Serverzertifikat hinterlegen:
$ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet/wallet-cman-tdm -dn 'cn=cman21c, c=pipperr.local' -keysize 2048 -self_signed -validity 365
=== Login User anlegen ===
mkstore -wrl /opt/oracle/wallet/wallet-cman-tdm -createEntry cmanadmin cmanSecretPWD
=== Wallet auf AutoLogin setzen ===
$ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet/wallet-cman-tdm -auto_login
=== CMAN neu starten ===
cmctl
CMCTL> administer cman_gpi
CMCTL:cman_gpi> shutdown
CMCTL:cman_gpi> startup
===Testen===
prüfen ob schon etwas erreichbar ist:
netstat -tulpe
Rest Interface abfragen:
curl --insecure -X GET -u cmanadmin:cmanSecretPWD https://cman21c:8000/show/services
#alternativ mit wget
wget -O- --no-check-certificate --user cmanadmin --password cmanSecretPWD https://cman21c:8000/show/all
== Problem:Authentication is needed - Invalid password ==
Beim ersten Test passt gleich mal nicht das Passwort.
{"error": { "errors": [ { "reason": "Authentication is needed", "message": "" } ], "http_error_code": 401, "message": "Login Required" }}[oracle@cman
im Log:
2023-11-08 19:06:49.035000 +01:00
(LOG_RECORD=(TIMESTAMP=08-NOV-2023 19:06:49)(EVENT=Invalid password))
Wie muss aber das Passwort in der Wallet hinterlegt werden? Wie in der Doku beschrieben klappt es erstmal nicht.
Zweiter Versuch:
mkstore -wrl /opt/oracle/wallet/wallet-cman-tdm -createEntry cmanadmin cmanSecretPWD
Nun ergibt sich mal ein anderer Fehler:
{"error": { "errors": [ { "reason": "Invalid URI or JSON payload or Not authorized operation", "message": "" } ], "http_error_code": 500, "message": "Internal server error" }}
Im CMAN Log steht nichts, daher ist nun entweder eine Rule nicht richtig oder der Rest Aufruf ist falsch => so war es dann mit der URL **https://cman21c:8000/show/all** geht es dann der **https://cman21c:8000/show/services** hängt.
curl --insecure -X GET -u cmanadmin:cmanSecretPWD https://cman21c:8000/show/services
hängt ...
----
==== Quellen ====
Doku:
* https://docs.oracle.com/en/database/oracle/oracle-database/21/netag/configuring-oracle-connection-manager.html#GUID-E1A7D32F-E386-4964-AB90-DADB7B92ED71
* https://docs.oracle.com/en/database/oracle/oracle-database/23/netag/configuring-oracle-connection-manager.html#GUID-7453F87E-2869-42F1-B1A3-CD2D6D2F74E8
* https://docs.oracle.com/cd/F32587_01/netrf/database-net-services-reference.pdf