Oracle Cloud Infrastructure Documentation

Perform Prerequisites for Deploying Management Gateway

Note

For specific prerequisites when configuring the Management Gateway in high availability mode, see Perform Prerequisites for Management Gateway High Availability.

Set Up Oracle Cloud Infrastructure for Management Gateway

The Management Gateway and Management Agent use the Management Agent service from Oracle Cloud Infrastructure (OCI). Before installing the Management Gateway, you must complete the instructions to set up the Oracle Cloud Infrastructure environment to use the Management Agent service. For details, see Set Up Oracle Cloud Infrastructure for Management Agent Service.

Generic Prerequisites for Deploying Management Gateway

Before deploying Management Gateway, ensure the following prerequisites are met:

Oracle Cloud Infrastructure Requirements

Supported Operating Systems

Table 7-1 Supported Operating Systems

Operating System Version

Oracle Linux

6 (64 bit), 7 (64 bit), 8 (64 bit), 9 (64 bit)

Red Hat Enterprise Linux

6 (64 bit), 7 (64 bit), 8 (64 bit)

Operating System Requirements

  • Minimum disk requirement: 300 Mb of free disk space and an additional 100 Mb for the Management Gateway software download.

    It also requires disk space for writing buffered messages to disk. This area should have at least 1 GB of free disk space.

  • A user with sudo privileges responsible of installing the Management Gateway software on the host.

  • Java Development Kit (JDK) or Java Runtime Environment (JRE) must be installed on your host prior to installing the Management Gateway software.

    Ensure you have downloaded and installed JDK or JRE version 1.8u281 or higher before starting the Management Gateway software installation process. See Java Downloads.

  • Management Gateway requires a dedicated host. If Management Agent is already installed on the host, install the Management Gateway on another host, dedicated to it.

  • Ensure /tmp doesn't have the noexec flag set if you are mounting it.

Network Prerequisites

  • If your network setup has a firewall, ensure that HTTPS communication (port 443) is allowed from the host where the Management Gateway is deployed to the appropriate Oracle Cloud Infrastructure domain(s). The relevant domain will depend on the realm. For example, Management Agents using the Oracle Cloud Infrastructure commercial realm OC1 will need to connect to *.oraclecloud.com domain.

    Oracle Cloud Infrastructure is hosted in regions. Regions are grouped into realms. Your tenancy exists in a single realm and can access all regions that belong to that realm. You cannot access regions that are not in your realm. Currently, Oracle Cloud Infrastructure has multiple realms. For more information about regions and realms, see Regions and Availability Domains.

    Each Gateway belongs to a specific OCI compartment. All Agents connecting through a Gateway must be in the same compartment as that Gateway.

    You can use any available network connectivity tool to verify connectivity with the data center.

    For information about the IP address ranges for services that are deployed in Oracle Cloud Infrastructure, see IP Address Ranges.

    The following example table lists the ports that need to be open for communication.
    Direction Port Protocol Reason

    Management Gateway host to external

    443

    HTTPS

    Communication with Oracle Cloud Infrastructure services.

Configure Certificates for Management Gateway

Starting with Management Agent version 221019.0021 and Management Gateway version 221019.0021.1667404647, the communication between Agent, Gateway and OCI requires certificates. The certificates and other required entities will be automatically created, but certain OCI policies need to be set up for this to work.

There are two options available:

Automatic Certificate Creation (Recommended)

This is the recommended method to create certificates.

If the parameter GatewayCertOcid is not set in the response file, the Gateway attempts to create the required certificates and other required entities automatically.

If the Management Gateway is configured in high availability mode, and the load balancer and Management Gateway are in different domains, see Advanced Configuration Management Gateway High Availability for details.

Required Dynamic Groups:

  1. Create Credential_Dynamic_Group with below rule: 

    ALL  {resource.type='certificateauthority', resource.compartment.id='<>'}

  2. Create Management_Gateway_Dynamic_Group with below rule: 

    ALL {resource.type='managementagent', resource.compartment.id='<>'}
Note

The compartment ID is an OCID.

Required Policies: 


Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE certificate-authority-delegates in compartment <>

Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE vaults in compartment <>

Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE keys in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ certificate-authority-bundle in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ leaf-certificate-bundle in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE certificate-authorities in compartment <> where  any{request.permission='CERTIFICATE_AUTHORITY_CREATE', request.permission='CERTIFICATE_AUTHORITY_INSPECT', request.permission='CERTIFICATE_AUTHORITY_READ'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE leaf-certificates in compartment <> where  any{request.permission='CERTIFICATE_CREATE', request.permission='CERTIFICATE_INSPECT', request.permission ='CERTIFICATE_UPDATE', request.permission='CERTIFICATE_READ'}

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE vaults in compartment <> where any{request.permission='VAULT_CREATE', request.permission='VAULT_INSPECT', request.permission='VAULT_READ', request.permission='VAULT_CREATE_KEY', request.permission='VAULT_IMPORT_KEY', request.permission='VAULT_CREATE_SECRET'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE keys in compartment <> where any{request.permission='KEY_CREATE', request.permission='KEY_INSPECT', request.permission='KEY_READ'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to USE certificate-authority-delegates in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to USE key-delegate in compartment <> 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group TO MANAGE leaf-certificates in compartment <> where all{request.permission='CERTIFICATE_DELETE', target.leaf-certificate.name=request.principal.id}

Manual Certificate Management

It's possible to set up certificates manually. The administrator can create a certificate using the OCI console. Afterwards, specify the OCID of that certificate in the response file using the parameter GatewayCertOcid.

For information about creating a certificate, see Overview of Certificate.htm.

Required Dynamic Groups:

  1. Create Credential_Dynamic_Group with below rule: 

    ALL  {resource.type='certificateauthority', resource.compartment.id='<>'}

  2. Create Management_Gateway_Dynamic_Group with below rule: 

    ALL {resource.type='managementagent', resource.compartment.id='<>'}
Note

The compartment ID is an OCID.

Required Policies: 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ certificate-authority-bundle in compartment <>
Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ leaf-certificate-bundle in compartment <>
Note

Policies are per compartment. The same compartment must be used for the Gateway and all Agents connecting to it.