Prerequisites for Applications Manager


Discussed below are the prerequisites for managing the various monitors:


Application Servers

Glassfish

While monitoring Glassfish application servers, make the following changes in the domain.xml file and then restart it:

  • Change the "accept-all" property to "true" for the "jmx-connector" node : <jmx-connector accept-all="true"

The configuration line should look like this:
<jmx-connector accept-all="true" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="false"/>

JBoss

The prerequisites for managing the various versions of JBoss server are:

JBoss Version 3.x and 4.x

To monitor JBoss, the http-invoker.sar should be deployed in the JBoss Server. The application (http-invoker.sar) is by default deployed in the JBoss server.

If the http port of the JBoss server is changed then the port number in the attribute InvokerURLSuffix should also be modified in <JBOSS_HOME>/server/default/deploy/http-invoker.sar/META-INF/jboss-service.xml file.

JBoss Version 5x

To monitor JBoss 5.x version, jbossagent.sar should be deployed in JBoss server. To deploy, follow the steps below:

  • Copy jbossagent.sar from location <Applications Manager home>/working/resources and paste under <JBOSS_HOME>/server/default/deploy
  • If you are running JBoss in different domain like all, then deployment target folder would be <JBOSS_HOME>/server/all/deploy.

JBoss Version 6.x

To monitor JBoss 6.x version, jbossagent.sar should be deployed in JBoss server. To deploy, follow the steps below:

Example:
<bean class="org.jboss.services.binding.ServiceBindingMetadata">
<property name="serviceName">
jboss.remoting:service=JMXConnectorServer,protocol=rmi
</property>
<property name="port">1090</property>
<property name="description">RMI/JRMP socket for connecting to the JMX MBeanServer</property>
</bean>

  • Copy jbossagent.sar from location <Applications Manager home>/working/resources and paste under <JBOSS_HOME>/server/default/deploy
  • If you are running JBoss in different domain like all, then deployment target folder would be <JBOSS_HOME>/server/all/deploy.
  • Provide the rmiRegistryPort which is available in <JBOSS_HOME>/server/<domainname>/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml file. The default port is 1090.

Note: JBOSS 6 EAP should be added as JBoss 7

JBoss Version 7.x and above

To add a new monitor for JBoss Version 7.x and above you must provide a management port. The default port is 9990.

JBoss Wildfly

  1. Change the Management port binding to use the network accessible interface:
    • In the JBoss config file (i.e. <JBOSS_HOME>\standalone\configuration\standalone-full.xml) change jboss.bind.address.management:127.0.0.1 to jboss.bind.address.management 0.0.0.0
    • Restart the service
  2. Add a JBoss administration user for monitoring:
    • <JBOSS_HOME>/bin/add-user.bat <USERID> <PASSWORD> ManagementRealm -silent

Oracle Application Server

Applications Manager uses the Dynamic Monitoring Service (DMS) provided by Oracle Application Server to monitor the same. For this reason, the DMS Servlet has to be made accessible to the system where the Applications Manager is running.

To enable the access, please follow the instructions provided below
[The instructions are referred from the Oracle website: http://docs.oracle.com/cd/B14099_19/core.1012/b14001/monitor.htm]

By default, the dms0/AggreSpy URL is redirected and the redirect location is protected, allowing only the localhost (127.0.0.1) to access the AggreSpy Servlet.

To view metrics from a system other than the localhost you need to change the DMS configuration for the system that is running the Oracle Application Server that you want to monitor by modifying the file $ORACLE_HOME/Apache/Apache/conf/dms.conf on UNIX, or%ORACLE_HOME%\Apache\Apache\conf\dms.conf on Windows systems.

The following example shows a sample default configuration from dms.conf. This configuration limits AggreSpy to access metrics on the localhost (127.0.0.1). The port shown, 7200, may differ on your installation.

Example: Sample dms.conf File for localhost Access for DMS Metrics
# proxy to DMS AggreSpy

Redirect /dms0/AggreSpy http://localhost:7200/dmsoc4j/AggreSpy
#DMS VirtualHost for access and logging control
Listen 127.0.0.1:7200
OpmnHostPort http://localhost:7200

<VirtualHost 127.0.0.1:7200>

ServerName 127.0.0.1

By changing the dms.conf configuration to specify the host that provides, or serves DMS metrics, you can allow users on systems other than the localhost to access the DMS metrics from the location http://host:port/dms0/AggreSpy.

Caution: Modifying dms.conf has security implications. Only modify this file if you understand the security implications for your site. By exposing metrics to systems other than the localhost, you allow other sites to potentially view critical Oracle Application Server internal status and runtime information.

To view metrics from a system other than the localhost (127.0.0.1), do the following:

  • Modify dms.conf by changing the entries with the value for localhost "127.0.0.1" shown in Example to the name of the server providing the metrics (obtain the server name from the ServerName directive in the httpd.conf file, for example tv.us.oracle.com).
  • Find below a sample updated dms.conf that allows access from a system other than the localhost (127.0.0.1)

    Example: Sample dms.conf File for Remote Host Access for DMS Metrics:
    # proxy to DMS AggreSpy
    Redirect /dms0/AggreSpy http://tv.us.oracle.com:7200/dmsoc4j/AggreSpy
    #DMS VirtualHost for access and logging control
    Listen tv.us.oracle.com:7200
    OpmnHostPort http://tv.us.oracle.com:7200
    <VirtualHost tv.us.oracle.com:7200>
    ServerName tv.us.oracle.com

  • Restart, or stop and start the Oracle HTTP Server using Application Server Control Console or using the Oracle Process Manager and Notification Server opmnctl command.

    For example,
    %opmnctl restartproc process-type=HTTP_Server
    or
    %opmnctl stopproc process-type=HTTP_Server
    %opmnctl startproc process-type=HTTP_Server

After performing the above steps, please ensure that you are able to access the URL http://<host>:7200/dmsoc4j/AggreSpy from the Applications Manager system.

To check if a user has select privilege:

We suggest you to execute the below query directly in your Oracle machine and check if a connected user has select privilege or not :

select TABLE_NAME,PRIVILEGE from user_tab_privs_recd where table_name in ('ALL_SCHEDULER_JOB_RUN_DETAILS','V_$RMAN_BACKUP_JOB_DETAILS','ALL_SCHEDULER_JOBS','ALL_SCHEDULER_RUNNING_JOBS');

If there is no row selected or privilege column does not have select value for the above table_name columns, then the user doesn't have privilege to access the table.

To grant Privilege:

Use the following query:

grant select on tablename to username;

Example: grant select on V_$RMAN_BACKUP_JOB_DETAILS to monitoruser;
Note : As above, you have to give grant permission on all the tables mentioned in the above query

Tomcat

Applications Manager agent has to be deployed in Tomcat Servers 3.x and 4.x. More

Tomcat 3.x and 4.x needs no user name and password. In case of Tomcat 5.x and above, an application named Manager must be running in it for Applications Manager to monitor the Tomcat server. By default, this application will be running in the server.If you have customized the manager application (Eg., \qamanager), then you can use the option "Tomcat Manager Application URI" in the client, for Applications Manager to monitor the Tomcat server.

For Tomcat Versions 5.x & 6.x and 7.x:

  • The user role to access the server must be manager (versions 5.x & 6.x) / manager-jmx (version 7.x).
  • To add a role as "manager" (versions 5.x & 6.x) / "manager-jmx" (version 7.x) for any of the users such as tomcat, role1, or both, you need make changes in tomcat-users.xml file located in the <TOMCAT-HOME>/conf directory.

For Tomcat 8:

Remote access to Applications Manager is restricted, by default.

Include the IP address of Applications Manager-installed host machine in CATALINA_HOME/webapps/manager/META-INF/context.xml file (under 'allow =' ).

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

Example:

Default configurations in tomcat-users.xml in Tomcat Server:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<user username="tomcat" password="tomcat" roles="tomcat" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

After adding the roles for the "tomcat" user, the modified entries will be as follows:

<tomcat-users>
<role rolename="tomcat" />
<role rolename="role1" />
<role rolename="manager" />
<user username="tomcat" password="tomcat" roles="tomcat,manager" />
<user username="role1" password="tomcat" roles="role1" />
<user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

On making the configuration, restart the Tomcat Server.
Now, when adding a new Tomcat (5.x and above) monitor, specify the username/password as tomcat/tomcat when discovering the Tomcat Server.

[Click the link to view an example tomcat-users.xml for versions 5.x / 6.x and tomcat-users.xml for versions 7.x]

Note:

1) After adding the Manager role in tomcat-users.xml, you should be able to access the manager application - <Host>:<PORT>/manager/status (Provide manager user credentials).
2) If the application is not accessible, add the following entry in server.xml, under 'Engine' context:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
3) Restart the server and try to access manager application.

WebLogic Server

To monitor WebLogic 6.1:

Follow the steps given below:

  • Provide only Admin user name.
  • In the remote WebLogic server, navigate to <Weblogic Home>/weblogic61/server/lib directory. From there, copy Weblogic.jar to <AppManager Home>\working\classes\weblogic\version6 directory in the machine where Applications Manager is running.

To monitor WebLogic 7.x:

You should set the weblogic.disableMBeanAuthorization and weblogic.management.anonymousAdminLookupEnabled variables to true for enabling data collection. Follow the steps given below:

  • Edit startWLS.cmdsh present in the <WLS_HOME>/server/bin directory and add the following arguments
    -Dweblogic.disableMBeanAuthorization=true

    -Dweblogic.management.anonymousAdminLookupEnabled=true
    Click here for Sample startWLS.cmd/sh
  • Restart the WebLogic Server for the changes to take effect
  • In the remote WebLogic server, navigate to <Weblogic Home>/weblogic70/server/lib directory. From there, copy Weblogic.jar to <AppManager Home>\working\classes\weblogic\version7 directory in the machine where Applications Manager is running.

To monitor WebLogic 8.x:

You should set the weblogic.disableMBeanAuthorization and weblogic.management.anonymousAdminLookupEnabled variables to true for enabling data collection. Follow the steps given below:

  • Edit startWLS.cmdsh present in the <WLS_HOME>/server/bin directory and add the following arguments
    -Dweblogic.disableMBeanAuthorization=true

    -Dweblogic.management.anonymousAdminLookupEnabled=true Click here for Sample startWLS.cmd/sh
  • Restart the WebLogic Server for the changes to take effect
  • In the remote WebLogic server, navigate to <Weblogic Home>/weblogic81/server/lib directory. From there, copy Weblogic.jar to <AppManager Home>\working\classes\weblogic\version8 directory in the machine where Applications Manager is running.

To monitor WebLogic 9.x:

In the remote WebLogic server, navigate to <Weblogic Home>/weblogic92/server/lib directory. From there, copy Weblogic.jar to <AppManager Home>\working\classes\weblogic\version9 directory in the machine where Applications Manager is running.


To monitor WebLogic 10.x , 11g:

In the remote WebLogic server, navigate to <Weblogic Home>/wlserver/server/lib directory. From there, copy Weblogic.jar, wlclient.jar, wljmsclient.jarwlthint3client.jar to <AppManager Home>\working\classes\weblogic\version10 directory in the machine where Applications Manager is running.


To monitor WebLogic 12.x:

In the remote WebLogic server, navigate to <Weblogic Home>/wlserver/server/lib directory. From there, copy wlclient.jar and wljmxclient.jar to <AppManager Home>\working\classes\weblogic\version12 directory in the machine where Applications Manager is running. 

Note: <Weblogic Home> is the Weblogic Installation directory


For SSL support over Weblogic:

Weblogic certificate has to be imported to <AppManager Home>/working/jre/lib/security/cacerts file. This certificate can be imported through <AppManager Home>/bin/WeblogicCertificate.bat/sh files.

Syntax: WeblogicCertificate.bat [import] [Full path of weblogic server certificate] [alias name]

Example: C:\Program Files\ManageEngine\AppManager\bin> WeblogicCertificate.bat import "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\MyDomain\root.cer" mykey

Note:
* If customer is monitoring all three versions of weblogic (10.x, 11g, 12C), then get the jars from latest version of WebLogic (Version 12c).
* SSL option is enabled in the UI only for version 9 and above.

The ports that need to be opened when the Weblogic Monitor is behind the firewall: Two-way communication between WebLogic listening port (default : 7001) and Applications Manager web server port (default : 9090).


For WebLogic 7.x, 8.x:

"%JAVA_HOME%\bin\java" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%" -Dweblogic.Name=%SERVER_NAME% -Dbea.home="C:\WebLogic\WL7.0" -Dweblogic.disableMBeanAuthorization=true -Dweblogic.management.anonymousAdminLookupEnabled=true -Dweblogic.management.username=%WLS_USER% -Dweblogic.management.password=%WLS_PW% -Dweblogic.management.server=%ADMIN_URL% -Dweblogic.ProductionModeEnabled=%STARTMODE% -Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
goto finish

:runAdmin
@echo on
"%JAVA_HOME%\bin\java" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -classpath "%CLASSPATH%" -Dweblogic.Name=%SERVER_NAME% -Dbea.home="C:\WebLogic\WL7.0" -Dweblogic.disableMBeanAuthorization=true -Dweblogic.management.anonymousAdminLookupEnabled=true -Dweblogic.management.username=%WLS_USER% -Dweblogic.management.password=%WLS_PW% -Dweblogic.ProductionModeEnabled=%STARTMODE% -Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server

WebSphere Application Server

Prerequisites for WebSphere Versions 8.x and below

For base deployment:

You have to modify the Performance Monitor Interface (PMI) Specification Level from "None" to "Standard". Then deploy the perfServletApp.ear file, which uses the PMI infrastructure to retrieve the performance information from WebSphere Application Server, in the WebSphere. Restart WebSphere Application Server.

For Network deployment:

You have to modify the PMI Sepcifictaion Level from "None"to "Standard" in all the WebSphere Servers in Network Deployment. Then deploy theperfServletApp.ear file, which uses the PMI infrastructure to retrieve the performance information from WebSphere Application Server, in any one of the WebSphere Servers in the Network Deployment. Restart WebSphere Application Server.

Note: Steps to check whether WebSphere monitor has been correctly set

To modify PMI specification level:

  • Connect to the Admin console - http://<Host>:<Port>/admin/
  • On the left-side tree, expand the Servers node.
  • Click on Application Servers link. This will display the list of servers running in the node.
  • Click on the server for which data collection has to be enabled.
  • In the Additional Properties table, click on Performance Monitoring Service.
  • Change the Initial specification level to "Standard" and then apply the changes. Also enable (select) Startup.

To deploy perfServletApp.ear:

  • Open the Admin console
  • Go to Applications then Application Types, then WebSphere Enterprise Applications.
  • Click Install and select local system.
  • Browse the perf servlet application then click ok.
  • The Default Path is <WAS_INSTALLED_PATH>/<APP_SERVER_NAME>/installableApps/PerfServletApp.ear
  • Accept all default options and select Next until finish then click Save.
  • After successfully installed this application, restart the node server once in order to work the perf servlet work correctly.

Make sure that a WebSphere Admin User is added to the monitor group of the perfservletApp, if global security is enabled in Websphere. To do so, go to WebSphere Admin consoleApplicationsInstalled Applications → Choose perfservletappSecurity role to user group mapping → Choose Monitor RoleAssociate the admin userSave directly to the master configuration.

To check the perf servlet output, open the following url from your browser:

http://localhost:<PORT>/wasPerfTool/servlet/perfservlet?connector=SOAP&port=8880 <PORT> - 9080 (Default)

Steps to Check whether Websphere monitor has been correctly set

For Base Deployment:

To ensure whether the PMI & perfServletApp are configured properly in WebSphere, invoke the below URL & check whether the data is returned in XML format.

http://WebSphereHost:Port/wasPerfTool/servlet/perfservlet?connector=SOAP&port=SOAP-PORT

where

  • WebSphere Host - Host in which WebSphere Application Server is running
  • WebSphere Port - HTTP Transport port of the WebSphere Application server [How to locate HTTP Port]
  • SOAP Port - SOAP Port of WebSphere [How to locate SOAP Port]

For Network Deployment:

To ensure whether the PMI & perfServletApp are configured properly in WebSphere, invoke the below URL & check whether the data is returned in XML format.

http://WebSphereHost:Port/wasPerfTool/servlet/perfservlet?connector=SOAP&port=NetworkDeployerSOAP-PORT&HOST=NetworkDeployerHost

where

  • WebSphere Host - The host of the websphere application server in which the perf servlet application is installed
  • Websphere Port - HTTP Transport port of the Websphere server in which the perf servlet application is installed [How to locate HTTP Port]
  • NetworkDeployer SOAP PORT - The SOAP port of the domain manager (DMGR) [How to locate SOAP Port]
  • Network Deployer Host - The host in which the domain manager is running.

Note: Also check whether WebSphere admin user is added to the monitor group of the perfservletApp.

How to locate SOAP Port?

1. Login to Admin console

2. Expand the server link on left side tree. Click on Application Servers

3. In Base mode, various WebSpheres will be listed down. Click on the WebSphere's name- > Under Additional Properties, click on End Points link -> click on SOAP connector address. You can get the SOAP port from there.

4. In Network Deployment mode, Click DMGR - > Under Additional Properties, click on End Points link -> click on SOAP connector address - You can get the SOAP port from there.

How to find the HTTP Transport port?

1. Login to Admin console

2. Expand the Server link on left side tree, Click on Application Servers

3. Various WebSpheres will be listed down. Click on the WebSphere's name- > Under Additional Properties, click on Web Container link -> click on HTTP Transports link. You can get the HTTP port from there.

Prerequisites for WebSphere Versions 9:

  • Enable Performance Monitoring Infrastructure (PMI) in application server (for base mode), and in all application servers and the node agents ( in ND mode ) which you want to monitor.
  • Go to Websphere Console, then Servers and All servers.
  • Click on the server name, then "Performance Monitoring Infrastructure (PMI)" under "Performance" tab.
  • Check the box "Enable Performance Monitoring Infrastructure".
  • Click Apply, Save and Restart the server.
  • Go to the Websphere Console, System Administration then Node agents
  • Click on the node agent, then "Performance Monitoring Infrastructure (PMI)".
  • Check the box "Enable Performance Monitoring Infrastructure".
  • Click Apply, Save and Restart the server.
  • For Network deployment mode, enable Global security
  • Go to the Websphere Console, go to Security then Global Security.
  • Under "Administrative security", check "Enable administrative security".
  • Click Apply, Save and Restart the server.
  • SSL certificates has to be added to APM incase SSL is enabled or Global security is enabled.

Steps: https://pitstop.manageengine.com/portal/kb/articles/how-to-import-certificates-for-monitoring-websphere-application-server-with-ssl-authentication

Resin Server

JMX MBeans are used to monitor Resin Application server's activity. To enable JMX, open Resin.XML and add the below JVM arguments or start Resin.exe with the below JVM arguments

-Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

Replace 1099 with the actual port number of the JMX agent

Jetty Server

JMX MBeans are used to monitor Jetty server's performance. To enable JMX,

  1. Add the below JVM arguments on Jetty start up:
    -Dcom.sun.management.jmxremote.port=9999
    -Dcom.sun.management.jmxremote.ssl=false
    -Dcom.sun.management.jmxremote.authenticate=false
    -Dcom.sun.management.jmxremote
    • Replace 9999 with the actual port number of the JMX agent
  2. Add the following line in start.ini file --module=jmx

Apache Geronimo

To monitor Apache Geronimo Server, add the following java runtime options to the startup file of your application:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

Replace 1999 with the any free port available.
You can find the startup file here : <Geronimo-Installation-Directory>/bin

Database Servers

IBM Informix Server

JDBC Driver:

To monitor IBM Informix DB, make sure that the ifxjdbc.jar file is present in the location:<ProductHome>\working\classes directory. The jar file can be copied from the IBM Informix installation location, <IBM Informix Home>\jdbc\lib\jar. Restart Applications Manager after copying the file.

User Privileges:

To add an Informix DB monitor, a user requires Connect database-level privileges and he should be able to access sysmaster database.

Microsoft SQL Database Server

For monitoring a Microsoft SQL database server, the SQL user account used for monitoring should have access to MASTER, MSDB and DISTRIBUTION databases. User should have the following roles:

sysadmin server role : Go to SQL Server Management Studio → Go to Logins → Choose the respective user and open properties → Go to 'Server roles' and select sysadmin role → Save the option and proceed with adding the SQL monitor in Applications Manager.

(OR)

1. Provide VIEW SERVER STATE permission on the server to the respective SQL user.

To grant VIEW SERVER STATE, you can use any of the following methods :

i) Execute the following query:

GRANT VIEW SERVER STATE TO username;

ii) In SQL Management Studio for user Choose Properties Securables → Click Add ( under Securables ) → Choose 'All objects of the Types...' → Choose Servers → Choose Grant for 'View server state' permission.

2. Provide the following DB roles:

  • DB Role required for all databases: public, db_datareader (To see key metrics in all databases)
  • DB Role required for msdb database: public, db_datareader, SQLAgentReaderRole, SQLAgentOperatorRole (For SQL Jobs monitoring/Log Shipping monitoring/Replication monitoring)
  • DB Role required for distribution database: public, db_datareader (For SQL Replication monitoring)
  • DB role required for monitoring DBCC CHECKDB & DBCC DBREINDEX/INDEXDEFRAG commands: db_writer

To monitor AlwaysOn Availability Groups in Applications Manager, the admin must provide view any definition permission on the server to the respective SQL user. To do so, you can use any of the following methods:

(i) Execute the following query:

GRANT VIEW ANY DEFINITION TO username;

(ii) In SQL Management Studio, for user, choose Properties → Securables → click Add ( under Securables ) → choose 'All objects of the Types...' → Choose Servers → Choose Grant for 'view any definition' permission.

MongoDB Servers

Supported Versions: MongoDB 3.2 and older versions. We support mongod services and mopngos services

To create a MongoDB monitor in Applications Manager, a user should have read privileges to all the MongoDB databases

MySQL Database Servers

MySQL monitor requires MySQL Java Connector to be present in the Applications Manager classpath. You can verify this by following these steps:

  • Check <Applications Manager Home>/working/mysql/MMMySQLDriver/ directory for the file mysql_connector.jar
  • If the .jar file is not present, you can download it from here (for MYSQL versions older than 5.6) or here (for MYSQL version 5.6 and newer).
  • Extract the downloaded zip file.
  • Find mysql-connector-java-3.0.10-stable-bin.jar or mysql-connector-java-5.1.46.jar file and rename the file as mysql_connector.jar
  • In the machine, where Applications Manager is running, copy the downloaded mysql_connector.jar to <Applications Manager Home>/working/mysql/MMMySQLDriver/ directory.
  • Restart Applications Manager.

Privileges Required :

While monitoring a MySQL database server, ensure that you assign a username that has permission to access the MySQL database from the host where Applications Manager is running. An alternate way is to add a relevant user who has the privileges to do the same. The user should have privileges to execute SELECT, SHOW DATABASES, REPLICATION commands in the MySQL server.

For enabling these privileges, execute the following commands in the remote MySQL Server:

If MySQL version is below 5.7:

  • To create a new user in mysql database:
    • USE mysql;
    • INSERT INTO user (Host,User) VALUES('<host>','<user>');
  • Granting privileges required for DB-user to monitor MySQL DB-sever:
    • GRANT SELECT,SHOW DATABASES,REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO '<user>'@'<host>';
    • FLUSH PRIVILEGES; (Use the host name - Applications Manager machine).

If MySQL version is 5.7:

  • To create a new user in mysql database:
    • USE mysql;
    • CREATE USER <user>@'%' IDENTIFIED BY 'password';
  • Granting privileges required for DB-user to monitor MySQL DB-sever:
    • GRANT SELECT,SHOW DATABASES,REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO '<user>'@'<host>';
    • FLUSH PRIVILEGES; (Use the host name - Applications Manager machine).

If MySQL version is 8.0 and above:

  • To create a new user in mysql database:
    • USE mysql;
    • CREATE USER '<user>'@'<host>' IDENTIFIED WITH mysql_native_password BY 'password';
  • Granting privileges required for DB-user to monitor MySQL DB-sever:
    • GRANT SELECT,SHOW DATABASES,REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO '<user>'@'<host>';
    • FLUSH PRIVILEGES; (Use the host name - Applications Manager machine).

Prerequisites for MySQL SSL sever monitoring:

  • User account requires tls_option.
    • ALTER USER '<user>'@'<host/Ip-address>' REQUIRE <tls_option>; [ tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } ]
  • Add the client certificates and its root certificates in AppManagerHome/working/cert/apm.keytore.
  • Add the monitor by enabling 'SSL' option in Add New Monitor page. If the monitor is already added, update the 'SSL' option in Edit Monitor page.

Oracle Database Servers

A user with CONNECT and SELECT_CATALOG_ROLE roles are required for Oracle monitoring in Applications Manager. Configure a user with these permissions and use the credentials in Applications Manager

Prerequisites for monitoring Oracle Alert Log metrics

Login as SYS user and run the following queries:

  • Create or replace view v_$appman_alertlog_ext as select * from x$dbgalertext
  • Create or replace public synonym v$appman_alertlog_ext for sys.v_$appman_alertlog_ext
  • Grant select on v$appman_alertlog_ext to [USERUSEDFORORACLEDBSERVERMONITOR]
Note: Oracle DB Alert Log monitoring is supported for version Oracle 11g and above only.

Prerequisites for monitoring Oracle Redo Log metrics

Login as SYS user and run the following queries:

  • Create or replace view v_$appman_redolog_cp_ext as select * from x$kcccp
  • Create or replace public synonym v$appman_redolog_cp_ext for sys.v_$appman_redolog_cp_ext
  • Grant select on v$appman_redolog_cp_ext to [USERUSEDFORORACLEDBSERVERMONITOR]
  • Create or replace view v_$appman_redolog_le_ext as select * from x$kccle
  • Create or replace public synonym v$appman_redolog_le_ext for sys.v_$appman_redolog_le_ext
  • Grant select on v$appman_redolog_le_ext to [USERUSEDFORORACLEDBSERVERMONITOR]

Prerequisites for monitoring Oracle Pluggable Database (PDB) metrics

SYS or SYSTEM or Common user with CONNECT and SELECT_CATALOG_ROLE roles is required to monitor Oracle PDBs.

PostgreSQL

The PostgreSQL installers include the database server, pgAdmin and StackBuilder.

The 8.x installers are supported on:

  • Ubuntu 6.06 and above
  • Fedora 6 and above
  • openSUSE 10 and above
  • SLES 9 and above, CentOS/RHEL 4 and above
  • Mac OS X 10.4 and above (Intel and PPC)
  • Windows XP and above.

The 9.x installers are supported on:

  • Ubuntu 8.04 and above
  • Fedora 10 and above
  • openSUSE 11 and above
  • SLES 11 and above
  • CentOS/RHEL 5 and above
  • Mac OS X 10.5 and above (Intel 32 and 64 bit)
  • Windows XP and above.

Applications Manager uses PostgreSQL's subsystem statistics collector to monitor PostgreSQL server activity. By default, the statistics collector is accessible. If you have problems in adding a new PostgreSQL server, follow the steps given below:

  1. Open postgresql.conf file under <postgres home>/data
  2. Check value of configuration parameter listen address it has to be "*", if not change it to "*". Click here for more details on configuring postgresql.conf
  3. Open pg_hba.conf under /data
  4. Add a new line 'host all all 0.0.0.0/0 md5' to allow all machines with proper password authentication to access PostgreSQL DB server. Click here for more details on configuring pg_hba.conf file.
  5. To monitor replication metrics, the database user is required to have Replication privilege (if replication is configured). Query to update the DB-user with Replication privilege is:

    ALTER USER <user-name> WITH Replication;

  6. To list out configuration related metrics & WAL file count., the database user is required to have Superuser privilege. Query to update the DB-user with Superuser privilege is:

    ALTER USER <user-name> WITH Superuser;

  7. To monitor top queries by CPU, include the below lines in postgresql.conffile:

    shared_preload_libraries = 'pg_stat_statements'
    pg_stat_statements.track = all

    Then execute the below query in Postgres:

    CREATE EXTENSION pg_stat_statements;

    After implementing the above steps, restart the Postgres server.

Limitations in PostgreSQL Replication:

  • Replication is not monitored for PostgreSQL server version 9.0 & 9.1.
  • Master server and slave server should be on different machines.
  • More than one slave shouldn't run on same machine.
  • Connections to any server (i.e either master or slave) via Unix socket can't be monitored.

SAP ASE / Sybase SQL Server / Sybase ASE

To monitor a Sybase ASE database monitor, the minimum privileges required by the user are as follows:

  1. There are select privileges for few tables in master database. They are:
    • master.dbo.systransactions
    • master.dbo.spt_values
    • master.dbo.sysprocesses
    • master.dbo.sysdatabases
    • master.dbo.syslogins
  2. User with mon_role, to execute a system procedure named as "sp_monitorconfig"

To provide the privileges mentioned above, use the following commands in Sybase ASE database:

  • exec sp_role 'grant', 'mon_role', <login-name>; (login-name assigned to the user)
  • grant select on master.dbo.systransactions to <user-name>;
  • grant select on master.dbo.spt_values to <user-name>;
  • grant select on master.dbo.sysprocesses to <user-name>;
  • grant select on master.dbo.sysdatabases to <user-name>;
  • grant select on master.dbo.syslogins to <user-name>;
Note: Execute the above commands in the Sybase SQL shell.

SAP HANA

  1. Need to copy ngdbc.jar into the location /working/classes. ngdbc.jar can be copied from installed SAP HANA Client folder.
  2. SAP HANA Client can be downloaded from here.
  3. If HANA is running on Cloud Platform, in addition to the above ngdbc.jar, SAP Cloud platform SDK is also needed. Copy the "lib" folder and neo.bat/sh file from SDK_HOME/tools to APM_HOME/working/hanacloud/tools/
  4. Restart Applications Manager after performing the above steps.
  5. Provide the below privileges for SAP HANA DB User.
    1. System privilege CATALOG READ.
    2. Object privilege SELECT on the schema _SYS_STATISTICS.
    To grant the above privileges, execute the below statements in SAP HANA SQL console.(Replace USER_NAME with actual HANA DB Username)
    1. GRANT MONITORING to < USER_NAME >
    2. CALL GRANT_ACTIVATED_ROLE ('sap.hana.admin.roles:Monitoring','< USER_NAME >')

SAP MaxDB

sapdbc.jar should be copied to Appmanager_Home\working\classes folder. By default, this jar will be available under <MaxDB_InstallationPath>\runtime\jar\sapdbc.jar.

SQL Anywhere

Applications Manager supports the monitoring of SQL Anywhere from version 17. We use system procedures for monitoring the SQL Anywhere server.

To monitor SQL Anywhere server, the DB user must have the following privileges:

  • Privilege to manage any DBspace.
  • Any one of the following roles: Monitor or Server Operator or Drop connection

To know more about system privileges, click here.

Note: Only databases that can be accessed with the given user credentials will be monitored.

IBM DB2

The user should have admin privileges or should be the DB owner for master database. A DB2 user with SYSMON instance level authority is required for monitoring DB2 server.

Long Running Queries (Available from version 9.7 & above):

To monitor 'Long Running Queries', the user must have any one of the following authorizations:

  • SELECT privilege on the MON_CURRENT_SQL administrative view
  • CONTROL privilege on the MON_CURRENT_SQL administrative view
  • DataAccess authority

Session details (Available from version 9.7 & above):

To monitor 'Session details', the user must have any one of the following authorizations:

  • Execute privilege on the routine
  • DataAccess authority
  • DBADM authority
  • SQLADM authority
Minimum User Privileges:
  • For monitoring IBM DB2 v.8 and v.9, the user should be able to access the SYSPROC procedures.
  • For monitoring IBM DB2 v.10, the user should be able to access the SYSIBMADM functions.

Granting a privilege to user:

Login to DB2 command line processor and execute below statement:

GRANT <authority> ON DATABASE TO USER <user-name>

where, <authority> can be any one of the following: DBADM, CREATETAB, BINDADD, CONNECT, CREATE_NOT_FENCED, IMPLICIT_SCHEMA, LOAD

To learn how to grant a privilege to a user, refer here.

CLOUD APPS

Microsoft Azure

Microsoft Azure Monitor can be added using 3 methods,

Discovery using AD Application & Service Principal – Mode 1

1. Create Active Directory Application:

  • Log in to Azure Portal (https://portal.azure.com) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created.
  • Select ‘Azure Active Directory’ from the left pane
  • Select ‘App registrations’
  • Select ‘Add’
  • Click Create.

2. Getting Client ID, Tenant ID & Application Key:

Client ID:

  • Select ‘Azure Active Directory’ from the left pane.
  • Select ‘App registrations’ → Select your application
  • Copy the value given as ‘Application ID’. This is your Client ID.

Tenant ID:

  • Go to ‘Azure Active Directory’ → Properties
  • Copy the value given as ‘Directory ID’. This is your Tenant ID.

Application Key:

    • In the same page, click 'Certificates and Secrets' on the left panel.
    • Under 'Client secrets', click 'New client secret'.
    • Give a description like 'App key of 'AD _application_name' created for Applications Manager and choose 'Never' under 'Expires' and click 'Add'.
    • Credential will be updated for the same AD Application and copy the new client secret Value and this key is the 'Application Key'.

To know more on creating the Application Key, refer here.

3. Assign a role to the application:

  • Select ‘Subscriptions’ from the left pane.
  • Select ‘Access Control (‘IAM’).
  • Select ‘Add’.
  • Select the role as ‘Owner’ or ‘Contributor’.
  • Search for your application and select it.
  • Select OK to finish assigning the role.

4. Provide the Client ID, Tenant ID and Application Key in the Azure new monitor page of Applications Manager.

Discovery using Azure Organizational Account (Powershell) – Mode 2

1. Installing AzureRM Powershell module on Applications Manager server:

Open Powershell prompt with Administrator privileges. Run the following commands,

# Install the Azure Resource Manager modules from the PowerShell Gallery

Install-Module AzureRM

# Install the Azure Service Management modules from the PowerShell Gallery

Install-Module Azure

In case if you get the following error upon executing the above commands, then install the downloader from http://aka.ms/webpi-azps

Install-Module: The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file or operable program

 

To check if the modules are installed successfully:
Open Powershell prompt with Administrator privileges. Run the following command,

Login-AzureRmAccount

If this opens a pop-up asking for Azure credentials, this means the required modules are installed successfully.

For further troubleshooting regarding installing the module, refer https://docs.microsoft.com/en-us/powershell/azureps-cmdlets-docs/

2. Create an Organizational account using Microsoft Azure administrator permissions

  • Log in to Azure Portal (https://portal.azure.com/) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created.
  • Select Active Directory.
  • Select the default directory
  • Select Users, and then select New user.
  • On the User page, enter required information for this user - Username, First name, Last name, Groups, and Role.
  • Note down the Email ID and the password of your user (Autogenerated in the Password box after entering the above details).
  • Select Create.

3. Assign the Global administrator role to your organizational account

  • Log in to Azure Portal (https://portal.azure.com/).
  • Search for and select Active Directory.
  • Select Users.
  • Select the user for which Global administrator role needs to be assigned.
  • On the User Profile page, select Assigned Roles and then click on Add assignment.
  • Search for and select the role Global administrator.
  • After selecting the role, click on Add button.

The Global administrator role will be assigned to the required user.

After performing all the above steps,

  • Sign out of the current account.
  • Sign in using the newly created Email address and temporary password
  • You will be prompted to change the password, when logging in for the first time
  • Change and note down the new password

Provide this Email ID to ‘User Email’ field and Password to ‘Password’ field in the New monitor page, while using the mode ‘Azure Organizational Account (Powershell) of Applications Manager.

OAuth mode – Mode 3

1. Create Active Directory Application:

  • Log in to Azure Portal (https://portal.azure.com) using the credentials of Microsoft account (@outlook.com or @live.com) using which the subscription was created.
  • Select ‘Azure Active Directory’ from the left pane
  • Select ‘App registrations’
  • Select ‘Add’
  • Click Create.

2. Getting Client ID, Tenant ID & Application Key:

Client ID:

  • Select ‘Azure Active Directory’ from the left pane.
  • Select ‘App registrations’ → Select your application
  • Copy the value given as ‘Application ID’. This is your Client ID.

Tenant ID:

  • Go to ‘Azure Active Directory’ → Properties
  • Copy the value given as ‘Directory ID’. This is your Tenant ID.

Application Key:

    • In the same page, click 'Certificates and Secrets' on the left panel.
    • Under 'Client secrets', click 'New client secret'.
    • Give a description like 'App key of 'AD_application_name' created for Applications Manager and choose 'Never' under 'Expires' and click 'Add'.
    • Credential will be updated for the same AD Application and copy the new client secret Value and this key is the 'Application Key'.

To know more on creating the Application Key, refer here.

3. Assign a role to the application:

  • Select ‘Subscriptions’ from the left pane.
  • Select ‘Access Control (‘IAM’).
  • Select ‘Add’.
  • Select the role as ‘Owner’ or ‘Contributor’.
  • Search for your application and select it.
  • Select OK to finish assigning the role.

4. App Registration Permissions

  • Select your created application under Azure Active Directory → App Registration.
  • In the application's Overview page, click on 'API Permissions' available on the left pane.
  • Click on 'Add a Permission' option, select 'Azure Service Management' and choose 'Delegated Permissions'.
  • Select the 'user_impersonation' permission and then click on 'Add Permissions'.
  • Finally, click on 'Grant admin consent for APM' button.

Steps to create an OAuth Provider for Azure monitor:

  1. In Applications Manager, go to Admin → OAuth Provider and select Add OAuth Provider. (Make sure you are logged in from a fully qualified domain name as in the help card)
  2. Copy the Redirect URL from the Add OAuth Provider window.
  3. In the Microsoft Azure console, go to Azure Active Directory from the left pane, select App Registrations and click on the required application.
  4. In the application's Overview page, click on the link available under Redirect URIs and paste the Redirect URL copied from the Add OAuth Provider window. Click Save.
  5. Now copy the Client ID, Client Secret (Application Key) and Tenant ID obtained in the above steps and fill in the Add OAuth Provider window.
  6. Fill the required details as mentioned below:
    • Grant Type - Authorization Code
    • Authorization Endpoint URL - https://login.microsoftonline.com/<tenantID>/oauth2/authorize
    • Token endpoint URL - https://login.microsoftonline.com/<tenantID>/oauth2/token
    • Token request method - Post request body
    • Request body:
          Name - resource
          Value - https://management.azure.com/
    • Authenticated request method - Basic Authentication

    Note: Remaining fields should remain as default.

  7. Click Authorize button and authorize using the account to login to Azure.
  8. Once created, verify whether both Access token and Refresh token are generated.
  9. Use this OAuth Provider in the Microsoft Azure's New Monitor page.

Prerequisites for Enabling Guest OS:

Metrics monitored when Guest OS monitoring is enabled

  • Disk Utilization
  • Disk IO Statistics
  • Network Interface
Note: Guest OS metrics will be available only in Windows.

Steps to be done on Applications Manager Server

1. Enabling Powershell Remoting (To collect metrics by remoting into Azure VMs)

Open Powershell prompt with Administrator privileges

Execute the following commands:

Set-ExecutionPolicy Unrestricted

#To configure Windows PowerShell for remoting, type the following command:

Enable-PSRemoting -force

#Configure the TrustedHosts setting so that appmanager can trust the connections from other servers :

Set-Item wsman:\localhost\client\trustedhosts *

#To increase the maximum number of concurrent shells that a user can remotely open):

Set-Item WSMan:\localhost\Shell\MaxShellsPerUser -value 25 -WarningAction SilentlyContinue

#To set idle timeout value for sessions : Determines how long the session stays open if the remote computer does not receive any communication from the local computer, including the heartbeat signal. When the interval expires, the session closes:

Set-Item WSMan:\localhost\Shell\IdleTimeout -value 60000 -WarningAction SilentlyContinue

#Restart the WinRM service for changes to take effect:

Restart-Service WinRM

 

 

 

 

 

2. Provide outgoing access on all ports for Applications manager server machine

3. Run Applications Manager with administrator privilege

4. Powershell script execution has to be enabled on Applications manager server

Execute the below cmdlet from an administrator powershell window:

Set-ExecutionPolicy Unrestricted

If the above cmdlet produces an Error as below, you can configure Powershell Script Execution via Group Policy Editor:

 

Configure Powershell Script Execution via Group Policy Editor

  • Open the Group Policy Editor from Control Panel→ Edit Group Policy (or) run gpedit.msc from Start menu.
  • To configure, navigate under Computer Configuration to Policies\Administrative Templates\Windows Components\Windows PowerShell.
  • You should see a setting called Turn on Script Execution like in the following image:

  • Double-click the setting. You will want to enable it and select an option from the drop down.

  • Set it to “Allow All Scripts”.
  • Click Apply and OK.

Prerequisites for adding a Virtual Machine

Microsoft Azure - Enable Diagnostics Extension (Windows & Linux VM)

Steps to Enable Diagnostics Extension for WINDOWS VMs :

  • Log in to Azure Portal (https://portal.azure.com) using the credentials of 'Administrator'
  • Navigate to your virtual machine
  • Click on 'Diagnostics settings' on the vertical pane. Select 'Agent' tab and click on 'Remove' at the bottom, as shown in the below image.

  • Under 'Overview' tab, click on 'Enable guest level monitoring' and click Save as shown in the image below.

  • Restart the VM

Steps to Enable Diagnostics Extension for LINUX VMs :

  • Log in to Azure Portal(https://portal.azure.com) using the credentials of 'Administrator'
  • Navigate to your virtual machine
  • Click on 'Diagnostics settings' on the vertical pane. Make Status as 'On', Choose a storage account and click 'Save' as shown below.

  • Restart the VM

GENERAL BEHAVIOUR

Note: In case if you change the resource group of any Virtual machine in Azure portal, then provide the updated details (Virtual Machine ResourceID and Resource Group Name) in the Edit monitor page of that Virtual machine in APM for data collection to happen.

Microsoft Azure SQL Database

  • Turn on diagnostics:
    • In Azure portal, navigate to the Azure SQL database to be monitored -> Click on Diagnostics settings -> Add a diagnostics setting by Archiving to a Storage account -> Provide a Storage account name -> The checkbox AllMetrics should be selected -> Save

  • Firewall rule configuration in portal:
    • In Azure portal, navigate to the Azure SQL database to be monitored -> Click on Overview -> Select Set Server Firewall -> Add your Client IPs to the list. Client should add all his public IPs under the firewall settings in SQL server.
    • Refer link for setting server firewall

  • Allowing outgoing access on port 1433:
    • For Applications manager to access and monitor the Azure SQL database, ensure that the firewall on your network and Applications Manager installed server allows outgoing communication on TCP port 1433.

Office 365

  • The Office 365 work or school account that you use for these procedures needs to be a member of an Office 365 admin role. For more information, see About Office 365 admin roles. The office 365 admin account used for monitoring must be assigned the below roles: Exchange administrator, SharePoint administrator or Skype For Business administrator.
Limitation: Accounts with multi factor authentication are not yet supported.
  • You can use the following 64-bit versions of Windows:
    • Windows 10
    • Windows 8.1 or Windows 8
    • Windows Server 2016
    • Windows Server 2012 R2 or Windows Server 2012
    • Windows Server 2008 R2 SP1*
* You need to install the Microsoft .NET Framework 4.5.x and then the Windows Management Framework 4.0. For more information, see Installing the .NET Framework and download the latest version of Windows Management Framework.

You need to use a 64-bit version of Windows because of the requirements for the Skype for Business Online module and one of the Office 365 modules.

  • Powershell version 4 or above.
To check the powershell version installed, open up a powershell prompt and run:
>$PSVersionTable
Check for the PSVersion attribute from the output
  1. To configure Windows PowerShell for remoting, type the following command:
    Enable-PSRemoting -force
  2. Configure the TrustedHosts setting on Appmanager machine, so that remote computers can trust it:
    Set-Item wsman:\localhost\client\trustedhosts
    *
  3. Set Execution Policy:
    Set-ExecutionPolicy RemoteSigned
  4. Restart the Windows Remote Management (WinRM) so the new settings will take effect:
    Restart-Service WinRM.

Enable TLS 1.2:

Using TLS 1.2 with Office Online Server requires strong cryptography in .NET Framework 4.5 or higher. To enable strong cryptography in .NET Framework 4.5 or higher, add the following registry keys:

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

To add the above registry keys via cmd prompt:

  1. Open command prompt -> Run as administrator :
  2. Enter the below :
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 /v SchUseStrongCrypto /t REG_DWORD /d 1
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /v SchUseStrongCrypto /t REG_DWORD /d 1

AWS Monitoring

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

  • STS - getCallerIdentity ( for IAM user with limited permissions)
  • EC2 - describe-instances ,
  • EC2 actions - StartInstances , StopInstances and RebootInstances
  • EBS - describeVolumes
  • RDS - describe-db-instances
  • RDS - describeDBClusters
  • S3 - listBuckets , listObjects
  • DynamoDB - listTables, describeTable
  • Billing - GetCostAndUsage, GetCostForecast API
  • ELB - describeLoadBalancers, describeTargetGroups, describeTargetHealth

The common APIs - 'GetMetricData' and 'GetMetricStatistics' used for all the metrics that we collect from CloudWatch.

Amazon EC2 Instances

To collect operating system-level metrics like Memory and Disk, you must deploy the Cloud-Watch Agent inside EC2 instance. The agent will send your data to Cloud-Watch from where Applications Manager fetches and displays it in the console. Click here to know more about how you can collect metrics from Amazon ec2 instances and on-premises servers with the Cloud-Watch Agent.

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

  • EC2 - describe-instances ,
  • EC2 actions - StartInstances , StopInstances and RebootInstances

The common API call - 'GetMetricStatistics' is used for all the metrics that we collect from Cloudwatch.

Amazon RDS Instances

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

  • RDS - describe-db-instances
  • RDS - describeDBClusters

The common API call - 'GetMetricData' is used for all the metrics that we collect from Cloudwatch.

Amazon DynamoDB Monitoring

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

  • ListTables
  • DescribeTable

The common API call -  'GetMetricStatistics' is used for all the metrics that we collect from Cloudwatch.

Amazon Billing

AWS account users are required to use their AWS Access Key and Secret Access Key to add an AWS monitor in Applications Manager. By default, AWS users have administrator privileges and can access AWS Service APIs. However, if your AWS user account has limited permission, here is the list of APIs used to collect metrics from the respective AWS services and performance metrics from CloudWatch:

  • GetCostAndUsage API - To retrieve cost and usage metrics for your Global Account
  • GetCostForecast API - To retrieve a forecast for how much Amazon Web Services predicts that you will spend over the forecast time period that you select, based on your past costs.

Amazon Elastic Load Balancer

Application Load Balancers APIs:

  • DescribeLoadBalancers
  • DescribeTargetGroups
  • DescribeTargetHealth

The common API call - 'GetMetricData' is used for all the metrics that we collect from Cloudwatch.

Amazon SNS

Amazon Simple Notification Service APIs:

  • ListTopics API - To retrieve the list of SNS topics in an account
  • ListSubscriptionsByTopic - To retrieve the list of subscriptions in a SNS topic

The common API call - 'GetMetricStatistics' is used for all the metrics that we collect from Cloudwatch.

Google Cloud Platform

Prerequisites:

  1. Login to the GCP console with Owner access to the Project to be monitored.
  2. Go to GCP Console → APIs & Services → Library, to enable the following APIs :
    • Cloud Resource Manager API
    • Compute Engine API
    • Stackdriver API
    • Stackdriver Monitoring API
    • Cloud Storage
    • Google Cloud Storage JSON API
    • Cloud Filestore API
  3. Follow the below mentioned steps to create an OAuth provider to monitor a GCP project.
  4. Once an OAuth provider is created, verify if it has an Access Token and Refresh Token.
  5. You can use OAuth provider to add multiple projects under the same account, but ensure that the APIs are enabled in each project before adding a monitor in AppManager.

Steps to create an OAuth Provider for GCP:

  1. In AppManager, go to Admin → OAuth Provider and select Add OAuth Provider. (Make sure you are logged in from a fully qualified domain name as in the help card)
  2. Copy the Redirect URL from the Add OAuth Provider window.
  3. Go to GCP Console → APIs & Services → OAuth consent screen.
  4. Under Authorised domain, enter the domain name from the Redirect URL and press the enter key.
  5. Go to GCP Console → APIs & Services → Credentials.
  6. Select Create Credentials → OAuth Client ID.
  7. Select Web Application and enter the copied Redirect URI in the Authorised redirect URIs section and press the Enter key.
  8. Now click Create button.
  9. The generated Client ID and Client secret will be displayed. Copy it and fill in the Add OAuth Provider window.
  10. Fill the following as below:
      • Grant Type - Authorization Code
      • Authorization Endpoint URL - https://accounts.google.com/o/oauth2/auth
      • Scope - https://www.googleapis.com/auth/cloud-platform
      • Query parameters:
            Name - access_type
            Value - offline
      • Token endpoint URI - https://oauth2.googleapis.com/token
      • Token request method - Post request body
      • Authenticated request method - Basic Authentication
    Note : Remaining fields should remain as default.
  11. Click Authorize button and authorize using the account to login to GCP.
  12. Once created, verify whetehr both Access token and Referesh token are generated.
  13. Use this OAuth Provider in the Google Cloud Platform's New Monitor page.

Oracle Cloud Infrastructure

To obtain data into Applications Manager, the user must have appropriate policies/permissions assigned by the administrator. To do so, follow the steps given below:

    1. Login as administrator into the Oracle Cloud Infrastructure console. Under Governance and Administration section, go to Identity → Groups option and click on Create Group button.
    2. Create a new group with the required group name (say 'AppManager') and add the required user to this newly-created group.
    3. Under Identity → Policy option, click on Create Policy button and create a new policy with the following policy statement:

ALLOW GROUP <Your Group Name> to use all-resources IN TENANCY

Example:

ALLOW GROUP AppManager to use all-resources IN TENANCY

Make sure that you are in the 'root' compartment while creating the above policy.

Note : Using this policy, the user can only read and cannot perform create and delete operations. (Refer here for more info.)

Oracle Autonomous Database

To obtain data for TableSpace, Sessions, Processes and Jobs in Applications Manager, you must configure the Oracle Wallet credentials in the Oracle Autonomous DB monitor. To do so, follow the steps given below:

    1. Go to Monitor Actions → Edit Monitor available on right-side of the Oracle Autonomous DB monitor dashboard page.
    2. Download the Oracle Wallet credentials. (Click here to learn how to download the Oracle Wallet credentials)
    3. After downloading, unzip the Wallet_databasename.zip file to a secured location.
    4. Copy the location path of that file and provide as input in the Wallet File Path field.
    5. Now open the tnsnames.ora file (obtained after unziping Wallet_databasename.zip file) in any text editor. This file contains the predefined services identifiable as high, medium, and low. Each service has its own TNS alias and connection string. Copy any one of the alias names (based on severity) and provide the same as input in the TNS Alias Name field. (Refer here to learn more)
    6. Enter the username and password details of the autonomous database.
    7. Click Update.

ERP

Oracle EBS

Applications Manager uses the Dynamic Monitoring Service (DMS) to monitor performance and availability of Oracle E-Business Suite. You can access performance metrics using servlets from the following URLs for different versions of EBS from Applications Managers:

      • EBS R11 - http://<host>:<port>/dms0/AggreSpy
      • EBS R12.0 - http://<host>:<port>/dms0/Spy
      • EBS R12.2.0 - http://<host>:<port>/dms/Spy

For Oracle E-Business Suite Version R11i, the DMS Servlet has to be made accessible to the system where Applications Manager is running. For Versions R12.0 and R12.2.0, the DMS Servlet should be accessible by default. It is recommended that you test to ensure that the Servlet is accessible to the Applications Manager system. [The instructions given below are referred from the Oracle website.]

For Oracle E-Business Suite R11i:

By default, the dms0/AggreSpy URL is protected, allowing only the localhost (127.0.0.1) to access the AggreSpy Servlet. To view metrics from a system other than the localhost, you need to change the DMS configuration for the system running the Oracle EBS that you want to monitor by modifying the trusted.conf file. This can be done as follows:

      • Open the trusted.conf file under $ORACLE_HOME/Apache/Apache/conf on a UNIX system, or%ORACLE_HOME%\Apache\Apache\conf\ on a Windows system.
      • Add the Applications Manager Hostname and IPaddress in the Allow from list as shown in the following example:
        <Location ~ "/(dms0|DMS|Spy|AggreSpy)">

        Order deny,allow

        Deny from all

        Allow from localhost

        Allow from <list of TRUSTED IPs>

        </Location>
      • Now open the httpd.conf and httpd_pls.conf files and check if the trusted.conf file is included. The Files are present under$ORACLE_HOME/Apache/Apache/conf on a UNIX system, or %ORACLE_HOME%\Apache\Apache\conf\ on a Windows system. If the trusted.conf file is not included, add the following lines in both the files and save:
        # Include the trusted.conf file

        include $ORACLE_HOME/Apache/Apache/conf/trusted.conf
      • Restart Oracle E-Business Suite and ensure that you are able to access the URL http://<host>:<port>/dms0/AggreSpy from the Applications Manager system.

For Oracle E-Business Suite R12.0:

Ensure that you are able to access the URL http://<host>:<port>/dms0/Spy (Hostname = Hostname with domain name, Port number = OAS listening port) from the Applications Manager system.

For Oracle E-Business Suite R12.2.0:

Ensure that you are able to access the URL http://<host>:<port>/dms/Spy (Hostname = Hostname with domain name, Port number = Weblogic Admin Server listening port) from the Applications Manager system. Users must enter the credentials of their Weblogic Admin server in their Oracle E-Business Suite to access the URL.

Caution: Modifying trusted.conf has security implications. Modify this file only if you understand the security implications for your site. By exposing metrics to systems other than the localhost, you allow other sites to potentially view critical Oracle EBS Server internal status and runtime information.

SAP Server, SAP CCMS

SAP Server Monitoring and SAP CCMS Monitoring requires SAP JavaConnector ( JCo) to be present in Applications Manager's classpath.

Note: The user name provided while adding SAP monitor should have sufficient privileges to access CCMS and Background job metrics. To check this, the user can execute RZ20 transaction in the SAP GUI and see if the CCMS monitor sets can be displayed.

Applications Manager build 14270 and above

For Windows:

      • Download and unzip the SAP JavaConnector [SAP JCo 3.1.x] from here. Depending on the hardware architecture of host machine where Applications Manager is running, make sure you download the respective zip file.
      • In the machine, where Applications Manager is running, copy sapjco3.jar and sapjco3.dll and sapjco3.pdb under AppManager_home/working/lib directory.
      • If Applications Manager is installed on Windows, as mentioned in SAP Note 2786882 on Windows platforms, JCo 3.1 requires the Visual Studio 2013 C/C++ runtime libraries to be installed on the system. To verify, check for the presence of the "Microsoft Visual C++ 2013 Redistributable" package in ControlPanel -> Program and Features. If not present, download and install the "Visual C++ 2013 Redistributable Package" from the Microsoft knowledge base article https://support.microsoft.com/en-us/help/4032938 and choose the package, which corresponds to the used Locale and JVM bit-width (x64 for 64-bit or x86 for 32-bit).
      • Restart Applications Manager.

Note: Do not copy the sapjco3.dll neither into the {windows-dir}/system32 nor into the {windows-dir}/SysWOW64 directory. This will break the operability of other JCo versions that are already installed on the same system. Furthermore you would risk that the current installation also would not work anymore, if the sapjco3.dll gets replaced in the respective Windows system directory in the future.

For Linux:

      • Download and unzip SAP JavaConnector[SAP JCo 3.1.x] from here. Depending on the hardware processor of the host machine where Applications Manager is installed. make sure you download the respective zip file.
      • In the machine, where Applications Manager is running, copy sapjco3.jar and libsapjco3.so under AppManager_home/working/lib directory.
      • Restart Applications Manager.

Applications Manager build below 14270

For Windows:

      • Download and unzip the SAP JavaConnector [SAP JCo 3.0.x] from here. Depending on the hardware architecture of host machine where Applications Manager is running, make sure you download the respective zip file.
      • In the machine, where Applications Manager is running, copy sapjco3.jar and sapjco3.dll and sapjco3.pdb under AppManager_home/working/lib directory.
      • If Applications Manager is installed on Windows, as mentioned in SAP Note 1077727 JCo 3.0 requires the Microsoft Visual Studio 2005 C/C++ runtime libraries (version 8.0.50727.6195) to be installed on the system. To verify, check for the presence of the "Microsoft redistributable runtime DLLs VS2005 SP1" in ControlPanel -> Program and Features. If not present, download and install the "Visual C++ 2005 SP1 Redistributable Package" from the Microsoft website https://www.microsoft.com/en-us/download/details.aspx?id=26347 and choose the package, which corresponds to the used JVM bit-width and processor architecture (x64 for 64-bit, x86 for 32-bit and ia64 for Itanium processors).
      • Restart Applications Manager.

Note: Do not copy the sapjco3.dll neither into the {windows-dir}/system32 nor into the {windows-dir}/SysWOW64 directory. This will break the operability of other JCo versions that are already installed on the same system. Furthermore you would risk that the current installation also would not work anymore, if the sapjco3.dll gets replaced in the respective Windows system directory in the future.

For Linux:

      • Download and unzip SAP JavaConnector[SAP JCo 3.0.x] from here. Depending on the hardware processor of the host machine where Applications Manager is installed. make sure you download the respective zip file.
      • In the machine, where Applications Manager is running, copy sapjco3.jar and libsapjco3.so under AppManager_home/working/lib directory.
      • Restart Applications Manager.

Microsoft Dynamics CRM / 365 (On-Premise)

To monitor a Microsoft Dynamics CRM / 365 application, use an Administrator user account with permission to execute WMI queries on 'root\CIMV2' namespace of the Dynamics CRM / 365 Server.

The following software must be installed and running on your computer before you try to execute WMI queries:

      • Microsoft .Net framework 3.5
      • Microsoft .Net framework 4.7

Firewall access for monitoring:

Ports required for monitoring via WMI.

      • Windows Management Instrumentation (WMI) (default : TCP 445)
      • Remote Procedure Call (RPC) (default :TCP 135)
      • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (default : TCP 1025 to 1030)

Powershell – Enable Script Execution:

Powershell script execution must be enabled on Applications manager server for data collection. Here is how you can do it:

Execute the below cmdlet from an administrator powershell window:

Set-ExecutionPolicy Unrestricted

If the above cmdlet produces an Error as below, you can configure Powershell Script Execution via Group Policy Editor:

Configure Powershell Script Execution via Group Policy Editor

      • Open the Group Policy Editor from Control Panel→ Edit Group Policy (or) run gpedit.msc from Start menu.
      • To configure, navigate under Computer Configuration to Policies\Administrative Templates\Windows Components\Windows PowerShell.
      • You should see a setting called Turn on Script Execution like in the following image:

      • Double-click the setting. You will want to enable it and select an option from the drop down.

      • Set it to “Allow All Scripts”.
      • Click Apply and OK.

Microsoft Dynamics AX

Supported versions of Microsoft Dynamics AX: Microsoft Dynamics AX 2012, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 R3
      • The following software must be installed and running on your computer before you try to execute WMI queries:
        • Microsoft .Net framework 3.5
        • Microsoft .Net framework 4.7
      • To monitor a Microsoft Dynamics AX application, use an Administrator user account which has the permission to execute WMI queries on 'root\CIMV2' namespace of the AX Server.
      • Firewall access for monitoring- Ports required for monitoring via WMI:
        • Windows Management Instrumentation (WMI) (default : TCP 445)
        • Remote Procedure Call (RPC) (default : TCP 135)
        • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (default : TCP 1025 to 1030)

Servers

Windows

Currently windows hardware performance monitoring is supported in SNMP and WMI monitoring mode:

SNMP Mode of monitoring:

Monitoring Dell hardware status:

      • Dell OpenManage Server Administrator and make sure SNMP agent is enabled.
      • Installation steps http://www.dell.com/downloads/global/power/ps2q06-20050112-Lou-OE.pdf.

Monitoring HP hardware status:

      • HP System Insight Manager (SIM v6.2 or higher is recommended) and make sure SNMP agent is enabled
      • Installation steps http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00293378/c00293378.pdf

Determine if SNMP responds for the OID properly. Below are the correct OID'S for each vendor:

      • For HP: 1.3.6.1.4.1.232.2.2.2.1.0
      • For Dell: 1.3.6.1.4.1.674.10892.1.300.10.1.8.1

WMI mode of monitoring:

The following conditions must be met before you can proceed troubleshooting WMI nodes:

      • The node has successfully been added via WMI.
      • WMI is working properly on the remote server.
      • HP System Insight Manager (SIM v6.2 or higher is recommended) is installed on the remote server and running.
      • Dell OpenManage Server Administrator is installed on the remote server and running.

If WMI, Execute the below cmdlet from Powershell prompt with Administrator privileges :

Set-ExecutionPolicy Unrestricted

This is to allow execution of powershell scripts, which handle proper process termination during Datacollection

For WMI Mode of Monitoring:

In Windows Server 2008 and later versions, and in Windows Vista and later versions, use the following dynamic port range:

Start port: 49152

End port: 65535

If your computer network environment uses only Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.

Windows 2000, Windows XP, and Windows Server 2003 use the following dynamic port range:

Start port: 1025

End port: 5000

If your computer network environment uses Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both the following port ranges:

High port range 49152 through 65535

Low port range 1025 through 5000

Linux

Prerequisites for monitoring Cron jobs:

      • Curl must be installed in the remote Linux machine.
      • Script linked to the cron job must have executable permission.
      • The machine where Applications Manager is installed should be reachable from the remote Linux machine via SSL port without any proxy server.
      • The remote machine where the cron job is running must be synced with the correct time zone.
      • Cron job interval should be a minimum of five minutes.
      • Cron job uses HTTPs protocol to send responses to the machine where Applications Manager is installed and is validated using the admin user's Rest API key. If the admin user's API key is regenerated, then update the latest API key for all the cron job(s) on the remote Linux machine using the crontab -e command.
      • Linux cron is supported only in SSH and TELNET mode of monitoring.

Services

JMX Applications

To monitor a JMX Applications, the following java runtime options are to be added to your application

      • Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099
      • Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false

Replace 1099 with the actual port number of the agent

Example:

      • To enable JMX Applications in JBoss:
        • Edit the run.sh/bat under JBoss home/bin.
          Append the following command to JAVA_OPTS,
          JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%
      • To enable JMX Applications in JBoss 7 and above:
        • Copy the jboss-client.jar from <JBoss Home>/bin/client/ and place it under <Applications Manager Home>/working/classes/jboss/as7 directory.
      • To enable JMX Applications in Tomcat:
        • JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%
      • To enable SSL for JMX applications
        • -Dcom.sun.management.jmxremote.ssl=true
      • To enable authentication, use of authentication is recommended. If you do not want to use authentication, you should change the value to false.
        • -Dcom.sun.management.jmxremote.authenticate=true
      • If you are using authentication, specify the location of the password file
        • -Dcom.sun.management.jmxremote.password.file=c:\jmxremote.password
      • If you are using authentication, specify the location of the access file
        • -Dcom.sun.management.jmxremote.access.file=c:\jmxremote.access

Refer Oracle documentation in this regard: http://docs.oracle.com/javase/1.5.0/docs/guide/management/agent.html#remote

Note: To know more about monitoring a JMX Application if your application is behind a firewall, check out this blog post. Also please note that the ping/telnet/nslookup should be working for the remote JMX:
telnet hostname port
ping hostname
ping IPAddress
nslookup hostname
nslookup IPAddress

Ceph Storage Monitor

Ceph status command is used to collect performance stats of Ceph Storage Monitor. The user given, should have read privileage to ceph.keyring file. Ensure the ceph.keyring file has appropriate permissions set (e.g., chmod 644) on your client machine.

Hadoop Monitor

1. To monitor Hadoop via REST API:

      • No Authentication:
        • URL http://<host>:<port>/jmx should be able to accessed from the Applications Manager machine for both Namenode and Jobtracker/ResourceManager
      • Simple Authentication:
        • URL http://<host>:<port>/jmx?user.name=<Hadoop host username> should be able to access from the Applications Manager machine for both Namenode and Jobtracker/ResourceManager

2. To monitor Hadoop via JMX:

      • Add the following java runtime options to 'HADOOP_NAMENODE_OPTS'; 'HADOOP_JOBTRACKER_OPTS' in Hadoop-env.sh with unique port.
        • -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=8004

Apache Zookeeper

Prerequisites for monitoring Apache Zookeeper:

      • Remote JMX should be enabled.
      • To ensure that please open the ZKServer file under bin folder and check the below following:
        1. JMXPORT =<PORT NO>
        2. ZOOMAIN="-Djava.rmi.server.hostname=<IP address > -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain"
Note: Replace <PORT NO> with JMXPORT and <IP address > with IP address of the machine.

Java/Transactions

APM Insight

APM Insight includes a remote monitoring agent which has to be deployed in your application instances. Know more about APM Insight Agent.

Java Runtime Monitor

To monitor a JDK1.5 JVM and above, add the following JVM arguments to your application:

-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false

To monitor IBM JDK1.5 JVM and above, add the following JVM arguments to your application:

-Djavax.management.builder.initial= -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false

Note: Port number '1099' can be replaced with the actual port number of the JMX agent.

      • To enable Java Runtime Monitor in JBoss:
        • Edit the run.sh/bat under JBoss home/bin. Append the following command to JAVA_OPTS
          JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%
      • To enable Java Runtime Monitor in JBoss 7 and above:
        • Copy the jboss-client.jar from <JBoss Home>/bin/client/ and place it under <Applications Manager Home>/working/classes/jboss/as7 directory.
      • To enable Java Runtime Monitor in Tomcat do the following:
        • Edit the catalina.sh/bat under Tomcat home/bin. Append the following command to JAVA_OPTS
          JAVA_OPTS =-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false %JAVA_OPTS%
      • To enable SSL over JMX, use the following JMX parameters in addition to the above, and restart the server.
        • JMX Parameters:
          -Dcom.sun.management.jmxremote.ssl=true
          -Djavax.net.ssl.keyStore="E:/APMBuilds/certificates/jmx.keystore"
          -Djavax.net.ssl.keyStorePassword=password
          -Djavax.net.ssl.trustStore="E:/APMBuilds/certificates/jmx.truststore"
          -Djavax.net.ssl.trustStorePassword=password
        • Additionally, import the server certificate to "<Applications Manager Home>\working\jre\lib\security\cacerts" file and restart the server.
          • Syntax:
            keytool -import -alias <certificat_aliasname> -file <target Application server Certificate> -keystore "<AppManager_Home>\working\jre\lib\security\cacerts" -storepass changeit -noprompt

          • Example:
            keytool -import -alias jmxcert -file "E:\APMBuilds\certificates\ssloverjmx.cer" -keystore "C:\Program Files (x86)\AppManager14\working\jre\lib\security\cacerts" -storepass changeit -noprompt

In the Tomcat Environment:

Make sure the catalina-jmx-remote.jar file is present in the $TOMCAT_HOME/lib location. This jar file can be downloaded for your version of Tomcat from the Apache website from the extras section (sample link: http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.55/bin/extras/catalina-jmx-remote.jar).

Enable JMX in WebLogic

      • Open the startWebLogic.bat file in a text editor.
      • Find the JAVA_OPTS line and add the following:
        -Dcom.sun.management.jmxremote
        -Dcom.sun.management.jmxremote.port=8888
        -Dcom.sun.management.jmxremote.authenticate=false
        -Dcom.sun.management.jmxremote.ssl=false
      • Restart WebLogic.

Active Directory

  1. Install the latest .NET Framework on your Applications Manager machine.
  2. Enable .NET Framework 3.5:
    • To know how to enable .NET 3.5 in Windows Server 2008, click here.
    • To know how you can enable .NET 3.5  other Windows Servers, click here.
  3. Firewall access for monitoring:
    Ports required for monitoring via WMI:
    • Windows Management Instrumentation (WMI) (default : TCP 445)
    • Remote Procedure Call (RPC) (default :TCP 135)
    • Target server uses random port above 1024 by default to respond back for remote communication (DCOM) (default : TCP 1025 to 1030)
  4. Install the latest Windows Management Framework in both Applications Manager machine and AD Server.
  5. Check whether both machines have PowerShell version 5.0 or above. Click here for Powershell prerequisites

Using CredSSP Authentication:

CredSSP delegates the users credentials from one computer to another remote computer. Enable Credssp only when the monitored AD Server is a non-primary Domain Controller and is present in a different domain other than that of the Applications Manager server domain. Below are the steps to enable CredSSP.

Perform the following steps on the Domain Controller:

  1. Open Windows PowerShell as Administrator and execute the below commands in the Administrator PowerShell:

    Enable-WSManCredSSP -Role Server

  2. Open gpedit.msc and go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

    - Enable Encryption Oracle Remediation and set Protection Level to Mitigated (Optional)

Perform the following steps on the Applications Manager Server:

[Replace "DomainControllerName" with the Hostname as used to add in Active Directory monitor].

  1. Open Windows PowerShell as Administrator and execute the below commands in the Administrator PowerShell:

    Enable-WSManCredSSP -Role client -DelegateComputer <DomainControllerName>

  2. Open gpedit.msc and go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

    - Enable Allow delegating fresh credentials and set value "wsman/DomainControllerName"
    - Enable Allow delegating fresh credentials with NTLM-only server authentication and set value "wsman/DomainControllerName"

  3. In the Administrator PowerShell run the below command:

    $testSession= New-PSSession -ComputerName <DomainControllerName> -Authentication Credssp -Credential Get-Credential

If Session is created without any error proceed to add the monitor with credssp enabled.

Mail Servers

Exchange Server:

Monitoring of Exchange Server is possible only if Applications Manager is running in a Windows System. Exchange Monitoring supports two Modes of Monitoring

      • Using WMI - if WMI is enabled in the remote machine in which Exchange Server is running and
      • Using Windows PowerShell technology - To use Powershell for data collection, make sure the proper steps have been followed to enable and use remote commands in Windows PowerShell both in the Applications Manager server and the remote server.

Creating User Accounts, adding users and assigning roles

User Account Used for Monitoring:

The User Account used to add the monitor should be a member of View-Only Organization Management group. Make sure that the group has the following Roles assigned - Mailbox Search & Monitoring.

For Exchange View-Only Administrators:

This role allows read access only to Exchange organization container and containers with Exchange recipients in AD. They can verify settings, but can not change or add any settings. Only Powershell "Get-<cmdlet>" can be executed.

Adding Users and Assigning Roles

Adding Users to the View-Only Organization Management group and assigning roles in:

      • Exchange 2010/2013/2016
        • Open Exchange Mangement Console in the Exchange Server.
        • To check if the user is already under View-Only Organization Management role group: Get-RoleGroupMember "View-Only Organization Management" | where-object {$_.Name -eq "<Username>"}
        • If the user is not under the specified role group,execute the below cmdlet to add the user: Add-RoleGroupMember "View-Only Organization Management" -Member <Username>
        • Next Add the two roles for View-Only Organization Management role group
        • New-ManagementRoleAssignment -SecurityGroup "View-Only Organization Management" -Role "Monitoring"
        • New-ManagementRoleAssignment -SecurityGroup "View-Only Organization Management" -Role "Mailbox Search"
      • Exchange 2007:
        • Open Exchange Management Shell.
        • Execute the following cmdlet: Add-ExchangeAdministrator –Identity <Username> –Role ViewOnlyAdmin

Configuring ConnectionURI for Powershell Remoting

The ConnectionURI is used to establish a connection to a remote computer using the URI address of the related HTTP or HTTPS endpoint.These connections are made over TCP port 80 for HTTP and TCP port 443 for HTTPS. By default,the connection URI is of the form http://<Hostname/IPaddress>/powershell and uses Kerberos authentication.

      • With Kerberos Authentication: When the machine running Exchange Server is joined to the same domain as the machine running Applications Manager, either HTTP or HTTPS can be used with Kerberos Authentication.
      • If Kerberos Authentication is not supported , or the machine is in another domain, the other option is to configure Basic Authentication for powershell virtual directory. To configure basic authentication in Exchange 2013, 2010 or 2007 using IIS Manager:
        • Open IIS Manager.
        • In the Connections pane, expand Default Web Site, and then click PowerShell.
        • Click Authentication in the results pane and enable Basic Authentication.

NoteIf you decide to use Basic Authentication, HTTPS should be used as mode of connection for connectionURI. If the connectionURI should be customized it can be done so by clicking the "Customize ConnectionURI" option in new monitor page. To provide a different port for the connectionUri provide it in the following format: <https://<hostname>/Powershell:<portnumber> (or) <http://<hostname>/Powershell:<portnumber>
For Example: http://win-exchange13/Powershell:4444

Middleware/Portal

IBM WebSphere MQ Monitor

To monitor IBM Websphere MQ Series, the following jar files must be added to the respective locations:

For IBM Websphere MQ Series version Jar files to be added Location in Websphere MQ Location in Applications Manager
Version 5.x/6.x
  1. com.ibm.mq.jar
  2. com.ibm.mq.pcf-6.x.jar
  3. connector.jar

Download the supportpac MS0B WebSphere MQ Java classes for PCF, the com.ibm.mq.pcf-6.1.jar file for version 6 and older versions.

The jar files can be found under <Websphere MQ Home Directory>\Java\lib directory.

Copy the jar files to<ProductHome> \working\jre\lib\ext directory.
Version 7
  1. connector.jar
  2. com.ibm.mq.jar
  3. com.ibm.mq.pcf.jar
  4. com.ibm.mq.jmqi.jar
  5. com.ibm.mq.headers.jar
  6. com.ibm.mq.commonservices.jar
All the jar files can be found under<Websphere MQ Home Directory>\Java\lib directory. Copy the jar files to<ProductHome> \working\jre\lib\ext directory.
Version 8 and above
  1. com.ibm.mq.jar
  2. com.ibm.mq.pcf.jar
  3. com.ibm.mq.jmqi.jar
  4. com.ibm.mq.headers.jar and
  5. com.ibm.mq.commonservices.jar
  6. com.ibm.mq.allclient.jar
All the jar files can be found under<Websphere MQ Home Directory>\Java\lib directory. Copy the jar files to<ProductHome> \working\jre\lib\ext directory.

IBM WebSphere Message Broker

To discover Message Broker, the following jars are required:

      • ConfigManagerProxy.jar located at <Broker Home Directory> \classes directory.
      • ibmjsseprovider2.jar located at <Broker Home Directory>\jre\lib directory.

Copy the two jar files to <AppManager Installation>\working\jre\lib\ext directory.

Note: Copy these jar files to <JavaHome>\jre\lib\ext directory if external JDK is configured for AppManager. Restart Applications Manager and try adding the monitor.

For IBM Integration Bus(MessageBroker 10.x):

      • The following jars are required to monitor IIB:
        IntegrationAPI.jar

        jetty-io.jar

        jetty-util.jar
        websocket-api.jar

        websocket-client.jar

        websocket-common.jar
      • IntegrationAPI.jar located at <Broker Home Directory>\common\classes directory.
      • jetty-io.jar, jetty-util.jar, websocket-api.jar, websocket-client.jar, websocket-common.jar located at <Broker Home Directory>\common\jetty\lib directory.
      • Copy the jar files to <ProductHome>\working\jre\lib\ext directory.

Note: Copy these jar files to <JavaHome>\jre\lib\ext directory if external JDK is configured for AppManager. Restart Applications Manager and try adding the monitor.

WebLogic Integration Server

Note: WebLogic Integration Server needs some additional configuration and conditions to be followed for monitoring.

      • For monitoring WebLogic Integration Server 8.x, you should set the weblogic.disableMBeanAuthorization andweblogic.management.anonymousAdminLookup system variable to true for enabling data collection.
      • Follow the steps given below:
        • Edit startWLS.cmd\sh present in the <WLS_HOME>/server/bin directory and add the following argument -Dweblogic.disableMBeanAuthorization=true and -Dweblogic.management.anonymousAdminLookupEnabled=true (click on the link to view the sample startWLS.cmd\sh file)
        • Restart the WebLogic Integration Server for the changes to take effect.
        • Copy weblogic.jar from folder /weblogic81/server/lib in Remote WebLogic server version 8 and place it under <AppManager Home >\working\classes\weblogic\version8 folder in the machine where Applications Manager is running.

Microsoft Office SharePoint Server

For SharePoint Standalone Server:

WMI Mode:

  • WMI access to remote server is required.

PowerShell Mode:

For SharePoint Farm Server:

Perform the following steps on the SharePoint Server(s):

  1. In the Server Manager, add the user account used for adding the Sharepoint to the following Groups:
    • Remote Desktop Users
    • WinRMRemoteWMIUsers__
    • WSS_ADMIN_WPG
  2. Open the Sharepoint Management shell as an administrator and execute the below commands one by one:
    • Enable-PSRemoting -Force
    • Enable-WSManCredSSP –Role Server
    • winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'
      [This is Optional].
    • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="600"}'
      [This is Optional].
    • Get-SPShellAdmin
      [This command will return all the users who have the SharePoint_Shell_Access role].
    • Get-SPDatabase | Add-SPShellAdmin DOMAIN\UserName
      [Replace Domain\Username with the user used to add the SharePoint Server].
    • Get-SPShellAdmin
      [The added user should be listed.]
    • Set-PSSessionConfiguration -Name Microsoft.PowerShell32 –ShowSecurityDescriptorUI
      [This command will open up a dialog box. Add the user(s) with Read and Execute permissions then click OK]
      .
    • Run the above command again to ensure the permissions were applied correctly.

Perform the following steps on the Applications Manager Server:

  1. Open Windows PowerShell as Administrator.
  2. Execute the below commands in the Administrator PowerShell:
    • Enable-WSManCredSSP -Role client -DelegateComputer “SharePointServerName”
      [Replace SharePointServerName with the FQDN of the SharePoint server].
    • $cred=get-Credential
    • $s=new-PSsession “SharePointServerName” -authentication credssp -credential $cred
      [Replace SharePointServerName with the FQDN of the SharePoint server].
    • Invoke-Command -Session $s -ScriptBlock {Add-PSSnapin Microsoft.SharePoint.PowerShell;}
    • Invoke-Command -Session $s -ScriptBlock {get-SPContentDatabase}
      [This will return all the content databases in your SharePoint farm and ensure you have access].
    • Invoke-Command -Session $s -ScriptBlock {get-spserviceinstance}
      [This will return the SharePoint service instances and ensure you have access].
    • Enter-PSSession -session $s
      [You will now see the servers name in [ ] PS: c:\users\\documents].
    • Exit-PSSession

If there are any errors related to permissions issue while executing the above commands, resolve the same.
For any issues related to Add-SPShellAdmin, check the following link: https://technet.microsoft.com/en-us/library/ff607596.aspx

Microsoft BizTalk Monitoring

To monitor a Microsoft BizTalk Server, the user must have Administrator privileges. To use Powershell for data collection, make sure the proper steps have been followed to enable powershell remoting.

Azure Service Bus

To add an Azure Service Bus Namespace in Applications Manager, a .pfx file (which contains the cryptographic information of private keys) of the certificate uploaded in Azure Management certificates is required.
In the console, execute the script <APM_HOME>/bin/exportCertificateToAppManager.sh/bat file to export the managed certificate of your account to Applications Manager.
To know more about creating certificates and uploading in Windows Azure portal, Click here.

Example:
<APM_HOME>/bin/exportCertificateToAppManager.bat [testCertificate.pfx] [password]

Apache ActiveMQ

Using JMX to monitor Apache ActiveMQ

Apache ActiveMQ has extensive support for JMX to allow you to monitor and control the behavior of the broker via the JMX MBeans.

You can enable/disable JMX support as follows:

      • Run a broker setting the broker property useJmx to true (enabled by default) i.e.
        For xbean configuration:
        <broker useJmx="true" brokerName="BROKER1">
        ...
        </broker>
      • Run a JMX console
        $ jconsole
      • The ActiveMQ broker should appear in the list of local connections, if you are running JConsole on the same host as ActiveMQ.

Virtualization

VMware Horizon View Connection Broker

Prerequisite for adding the Connection Broker monitor in the Applications Manager host:

VMware Horizon View Connection Broker monitor uses Windows PowerShell technology. Follow these steps to enable Windows PowerShell Remoting in the Applications Manager server and the remotely monitored Horizon View server:

Enable and Use Remote Commands in Windows PowerShell in Applications Manager server and remote server:

For using PowerShell in Applications Manager, you need Windows Management Framework (Windows PowerShell 2.0 and WinRM 2.0) on both Applications Manager server and the remote Windows server. For more details refer http://support.microsoft.com/kb/968929. Also ensure that Windows PowerShell is enabled in both servers (Open Control Panel. Select Programs and Features. In the Tasks list, click Turn Windows features on or off. When the Server Manager console opens, check if Windows PowerShell is enabled)

You can verify the availability of Windows Remote Management (WinRM) service and configure PowerShell for remoting by following these steps:

      • Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator.
      • To configure Windows PowerShell for remoting, type the following command:
        Enable-PSRemoting –force
      • Configure the TrustedHosts setting on both computers, so that computers will trust each other:
      • On Remote Monitored Server:
        Set-Item wsman:\localhost\client\trustedhosts <Applications Manager hostname>
      • On Applications Manager Sever:
        Set-Item wsman:\localhost\client\trustedhosts *
      • On both computers, restart the Windows Remote Management (WinRM) so the new settings will take effect:
        Restart-Service WinRM

You can test the configuration and connection from Applications Manager using the Test-WSMan -ComputerName <remote server> command. This command tests whether the WinRM service is running on the remote computer and if Applications Manager can communicate with the remote server.

Docker

Docker and Docker Container metrics are collected via their REST API, so Docker's REST API should be enabled to add a Docker Monitor.

To enable remote API:

      1. Open etc\default\docker file
      2. Add the below option
        DOCKER OPTS='-H tcp://0.0.0.0:4243-H=unix:///var/run/docker.sock'
      3. Save the file.
      4. Restart Docker.

Web Server / Services

PHP

Place the phpstats.php file in the webserver's document root. The phpstats.php can be found in <Applications Manager Home>/working/resourcesdirectory.

Apache

Enabling the Server status and the Extended-status will give additional information for the Apache server.

To enable the Server Status, follow the steps given below:

      • In Apache's httpd.conf file, locate "Location /server-status" tag.
      • Remove the comment in the Location/Server-status tag, to Enable SetHandler server-status.
      • Change the attribute "deny from all" to "Allow from all".
      • Remove the comment in "LoadModule status_module modules/mod_status.so".
      • Save the conf file and restart the Apache Server.

To enable the Extended-status, follow the steps given below:

      • Locate "ExtendedStatus" Attribute in httpd.conf file.
      • Remove the comment to enable the status.
      • Save the conf file and restart the Apache Server.

HAProxy

To monitor a HAProxy instance:
      • Open the 'stats' port for collecting the metrics.
      • To enable metrics collection, add the following content at the bottom of the file /etc/haproxy/haproxy.cfg:
        listen stats :9000
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy\ Statistics
        stats uri /
        stats auth Username:Password
      • Restart the HAProxy instance. This will open up the stats in the port '9000' (we have specified 9000 as the port in this configuration). You can further add the same HAProxy for monitoring using the hostname and port.

Note:
* You can change the port (9000 by default) to any free port that you wish to use.
* The line number 7 is for setting up basic authentication for this stats url. A user can provide his own username and password.
* We use the following URL to collect metrics: http://[HOSTNAME]:[PORT]/;csv
(Replace [HOSTNAME] and [PORT] with the respective hostname of the HAProxy instance and port which is mentioned in the above configuration).

Nginx

To Enable the Nginx Server Status, follow the steps given below:

      • Configure the location /server_status method in <NGINX_HOME>/conf/nginx.conf file, to enable server_status.
      • The value of stub_status attribute should be "on".
      • Change the attribute "deny all" to "Allow all".
      • Save the conf file and restart the Nginx Server.

Real Browser Monitoring (RBM)

RBM requires network connectivity between the RBM agent and the Applications Manager server. This network connectivity can be ensured with the help of the VPN or NAT or by assigning an direct IP Address to the Applications Manager server. In the case where an agent is deployed within the local network and another one in a remote site, a dual NIC or any one of the above means would be required to ensure this connectivity.

For any further support please contact appmanager-support@manageengine.com. You can visit Troubleshooting details.

ManageEngine ADManager Plus

Mode of Monitoring: Remote JMX

Prerequisites for monitoring ManageEngine ADManager Plus:

1. Add below entries in wrapper.conf (D:\ManageEngine Products\ADManager Plus\conf\wrapper.conf) or run.bat (D:\ManageEngine Products\ADManager Plus\bin\run.bat) file:

#Enable Remote JMX
wrapper.java.additional.16=-Dcom.sun.management.jmxremote
wrapper.java.additional.17=-Dcom.sun.management.jmxremote.port=1999
wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false
wrapper.java.additional.19=-Dcom.sun.management.jmxremote.authenticate=false

2. To monitor PGSQL DB, implement the following changes:

  • D:\ManageEngine Products\ADManager Plus \pgsql\data\postgresql.conf
    Uncomment and update ip address: listen_addresses = '172.22.168.171'
  • D:\ManageEngine Products\ADManager Plus \pgsql\data\pg_hba.conf

    # IPv4 local connections:
    #host all all 127.0.0.1/32 trust
    host all all 0.0.0.0/0 trust

  • D:\ManageEngine Products\ADManager Plus\conf\database_params.conf
    Update the hostname/ipaddress instead of localhost .

For PGSQL/MSSQL database, Statistics will be collected by connecting to the database.

ManageEngine ServiceDesk Plus

Prerequisites:

To monitor PGSQL DB, implement the following changes:

  • C:\ManageEngine\ServiceDesk\pgsql\data\postgresql.conf
    Uncomment and update ip address: listen_addresses = '172.22.168.171'
  • C:\ManageEngine\ServiceDesk\pgsql\data\pg_hba.conf

    # IPv4 local connections:
    #host all all 127.0.0.1/32 trust
    host all all 0.0.0.0/0 trust

  • Update the hostname/ipaddress instead of localhost  in <SDP_HOME>\ServiceDesk\server\default\deploy\postgres-ds.xml file.

ManageEngine OpManager

Mode of Monitoring: Remote JMX

For PGSQL DB, statistics will be collected by connecting to the database.

Prerequisites for monitoring ManageEngine OpManager:

For Windows:

In Service Mode:

1. Add below entries in wrapper.conf
C:\ManageEngine\OpManager\conf\wrapper.conf

# Enable Remote JMX
wrapper.java.additional.16=-Dcom.sun.management.jmxremote 
wrapper.java.additional.17=-Dcom.sun.management.jmxremote.port=1999 
wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false 
wrapper.java.additional.19=-Dcom.sun.management.jmxremote.authenticate=false

In Non-Service Mode:

Append the following parameters to JAVA_OPTS:

set JAVA_OPTS= %JAVA_OPTS%
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

For Linux:

Add the following entry in run.sh:

JAVA_OPTS="$JAVA_OPTS
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1999
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false"

2. To monitor PGSQL DB, do the following changes:

  • Open postgresql.conf under <postgres home>/data
  • Check the value of the configuration parameter listen address. It should be "*". Click here for more details on configuring postgresql.conf
  • Open pg_hba.conf under <postgres home>/data
  • Add a new line 'host all all 0.0.0.0/0 trust' to allow all the machines with proper password authentication to acces PostgreSQL database server. Click here for more details on configuring pg_hba.conf file.
  • Open C:\ManageEngine\OpManager\conf\database_params.conf file.
  • Update the hostname/ipaddress instead of localhost.