Oracle 21c / 23c - Das Rest API Interface des CMAN ( Oracle Connection Manager) aktivieren und aufrufen
Aufgabe
Nach der BasisInstallation und den der Konfiguration als SQL*Net Proxy (siehe Oracle 21c - SQL*Net Proxy und Firewall mit dem Oracle Connection Manager CMAN implementieren - Einsatz als Standby DB Proxy für ältere Java Apps ) und Oracle 21c -Der CMAN,Oracle Connection Manager, im Traffic Director Mode (TDM)soll für die Überwachung des CMAN das Rest Interface aktiviert werden.
Welche Rest Aufruf stehen in der API zur Verfügung?
Hier ein paar Bespiele für die Aufrufe, in der CMAM Doku ist das etwas schwach dokumentiert, aber in der SQL*Net Doku gibt es bei jeden CMAN Befehl auch einen Beispiel für den Aufruf ⇒ https://docs.oracle.com/en/database/oracle/oracle-database/23/netrf/oracle-connection-manager-control-utility.html#GUID-8AC28E1F-0D33-41FA-9BD8-B9DB8519E931
/show/all {"Parameters":{"listener_address":"(DESCRIPTION=(address=(protocol=tcp)(host=cman21c.pipperr.local)(port=1999)))","aso_authentication_filter":"OFF","connection_statistics":"ON","event_group":"(init_and_term, memory_ops)","log_directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/alert","log_level":"ADMIN","max_connections":20,"idle_timeout":0,"inbound_connect_timeout":10,"session_timeout":0,"outbound_connect_timeout":0,"max_gateway_processes":16,"min_gateway_processes":2,"max_cmctl_sessions":4,"password":"OFF","remote_admin":"ON","trace_directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/trace","trace_level":"OFF","trace_timestamp":"OFF","trace_filelen":1000,"trace_fileno":1,"service_rate":0,"connection_rate":0,"max_all_connections":0,"max_reg_connections":0,"compression":"OFF","sdu":8192,"expire_time":0,"non_tunnel_gateways":1000,"enable_ip_forwarding":"ON","use_sid_as_service":"ON","valid_node_checking_registration":"ON"},"Rule_List":[{"rule":"(rule=(src=*)(dst=*)(srv=*)(act=accept)(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on)))"},{"rule":"(rule=(src=cman21c)(dst=127.0.0.1)(srv=cmon)(act=accept))"},{"rule":"(rule=(src=cman21c)(dst=*)(srv=cmon)(act=accept))"}]} show/version {"Version":"CMAN for Linux: Version 21.0.0.0.0 - Production","Error":"The command completed successfully."} /show/status {"Instance name":"cman_gpi","Version":"CMAN for Linux: Version 21.0.0.0.0 - Production","Start date":"08-NOV-2023 19:30:08","Uptime":"0 days 0 hr. 19 min. 16 sec","Num of gateways started":2,"Average Load level":0,"Log Level":"ADMIN","Trace Level":"OFF","Instance Config file":"/opt/oracle/product/21c/client_2/network/admin/cman.ora","Instance Log directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/alert","Instance Trace directory":"/opt/oracle/diag/netcman/cman21c/cman_gpi/trace","Error":"The command completed successfully."} /show/defaults {"listener_address":"(ADDRESS=(PROTOCOL=TCP)(HOST=cman21c)(PORT=1521))","aso_authentication_filter":"OFF","connection_statistics":"OFF","event_group":"OFF","log_directory":"/opt/oracle/product/21c/client_2/network/log/","log_level":"SUPPORT","max_connections":256,"idle_timeout":0,"inbound_connect_timeout":60,"session_timeout":0,"outbound_connect_timeout":0,"max_gateway_processes":16,"min_gateway_processes":2,"max_cmctl_sessions":4,"password":"OFF","remote_admin":"OFF","trace_directory":"/opt/oracle/product/21c/client_2/network/trace/","trace_level":"OFF","trace_timestamp":"OFF","trace_filelen":0,"trace_fileno":0,"Error":"The command completed successfully."} /show/gateways {"Gateways":[{"Gateway ID":0,"Gateway state":"READY","Number of active connections":0,"Peak active connections":0,"Total connections":0,"Total connections refused":0,"Received IN bytes":0,"Received OUT bytes":0,"Sent IN bytes":0,"Sent OUT bytes":0},{"Gateway ID":1,"Gateway state":"READY","Number of active connections":0,"Peak active connections":0,"Total connections":0,"Total connections refused":0,"Received IN bytes":0,"Received OUT bytes":0,"Sent IN bytes":0,"Sent OUT bytes":0}],"Summary":{"Total active cons":0,"Total peak active con":0,"Total Connections":0,"Total connections Refused":0,"Total Received IN bytes":0,"Total Received OUT bytes":0,"Total Sent IN bytes":0,"Total Sent OUT bytes":0}} /show/rules {"Rule_List":[{"rule":"(rule=(src=*)(dst=*)(srv=*)(act=accept)(action_list=(aut=off)(moct=0)(mct=0)(mit=0)(conn_stats=on)))"},{"rule":"(rule=(src=cman21c)(dst=127.0.0.1)(srv=cmon)(act=accept))"},{"rule":"(rule=(src=cman21c)(dst=*)(srv=cmon)(act=accept))"}],"Error":"The command completed successfully."}
Also mehr oder weniger das das mit show auch in der Commando Zeile abgefragt werden kann.
Ablauf
- Attribute REST_ADDRESS=SERVER:PORT in der cman.ora hinterlegen
- Wallet Attribut in der cman.ora hinterlegen
- Wallet anlegen
- SSL Zertifikat hinterlegen
- Autorisierung für den Zugriff auf die REST API hinterlegen
CMAN Konfiguration
Den Parameter „REST_ADDRESS=hostname:port“ in der cman.ora und den Pfad zur Wallet hinterlegen:
cd $ORACLE_HOME/network/admin/ vi cman.ora .. ( REST_ADDRESS=cman21c:8000 ) .. wallet_location = (source = (method = file) (method_data = (directory="/opt/oracle/wallet/wallet-cman-tdm")))
In meinen Fall habe ich bereits eine Wallet, das heißt diese Wallet wird mit verwendet werden.
Wallet Konfiguration für den SSL Endpunkt
Bei Bedarf eine neue anlegen:
$ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet/wallet-cman-tdm
Passwort merken!
Serverzertifikat hinterlegen:
$ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet/wallet-cman-tdm -dn 'cn=cman21c, c=pipperr.local' -keysize 2048 -self_signed -validity 365
Login User anlegen
mkstore -wrl /opt/oracle/wallet/wallet-cman-tdm -createEntry cmanadmin cmanSecretPWD
Wallet auf AutoLogin setzen
$ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet/wallet-cman-tdm -auto_login
CMAN neu starten
cmctl CMCTL> administer cman_gpi CMCTL:cman_gpi> shutdown CMCTL:cman_gpi> startup
Testen
prüfen ob schon etwas erreichbar ist:
netstat -tulpe
Rest Interface abfragen:
curl --insecure -X GET -u cmanadmin:cmanSecretPWD https://cman21c:8000/show/services #alternativ mit wget wget -O- --no-check-certificate --user cmanadmin --password cmanSecretPWD https://cman21c:8000/show/all
Problem:Authentication is needed - Invalid password
Beim ersten Test passt gleich mal nicht das Passwort.
{"error": { "errors": [ { "reason": "Authentication is needed", "message": "" } ], "http_error_code": 401, "message": "Login Required" }}[oracle@cman im Log: 2023-11-08 19:06:49.035000 +01:00 (LOG_RECORD=(TIMESTAMP=08-NOV-2023 19:06:49)(EVENT=Invalid password))
Wie muss aber das Passwort in der Wallet hinterlegt werden? Wie in der Doku beschrieben klappt es erstmal nicht.
Zweiter Versuch:
mkstore -wrl /opt/oracle/wallet/wallet-cman-tdm -createEntry cmanadmin cmanSecretPWD
Nun ergibt sich mal ein anderer Fehler:
{"error": { "errors": [ { "reason": "Invalid URI or JSON payload or Not authorized operation", "message": "" } ], "http_error_code": 500, "message": "Internal server error" }}
Im CMAN Log steht nichts, daher ist nun entweder eine Rule nicht richtig oder der Rest Aufruf ist falsch ⇒ so war es dann mit der URL https://cman21c:8000/show/all geht es dann der https://cman21c:8000/show/services hängt.
curl --insecure -X GET -u cmanadmin:cmanSecretPWD https://cman21c:8000/show/services hängt ...
Quellen
Doku: