Thanks to the OMC team I received my own OMC trial environments to set up some experiments. Looking through the OMC I saw some familiar components such as synthetic tests, and here and there some components that are used in  Oracle RUEI.

The possibilities are huge in OMC, which I will discuss in a later stage, but something I wanted to try out was if  I could create a mechanism to detect if a hackers collective was trying to break into a web applications by using some sort of a password attack.

 

My ingredients:

  • An Oracle Java Cloud Service containig a WebLogic 12c domain, hosting Web applications
  • An Oracle Management Cloud subscription, with the following components:
    • Application Performance management
    • Log Analytics
    • IT Analytics
    • Infrastructure Monitoring

 

Setup the basic needs

Before you can use the OMC some basic steps need to be done. These steps contain:

  • Install the APM agent
  • Install the Cloud agent
  • Enable and register the agents on my JCS environment to the OMC

 

Install the APM Agent

Of course, there is no agent software package, so first of all the software needs to be downloaded. The basic script can be downloaded from you OMC environment:

The script you can place on the servers of your JCS instance, in my case: the database, WebLogic and Oracle Traffic Director

 

After unzipped, the agent download can begin:

Cloud agent:

Java APM Agent:

The registration keys you can obtain in OMC, in the Administration TAB.

 

Then you enter the stage locations and install the agents

./AgentInstall.sh AGENT_TYPE=apm_java_as_agent AGENT_REGISTRATION_KEY=***************************** AGENT_BASE_DIR=/u01/app/oracle/tools/paas/state/homes/oracle/omc_cloud_agent  -staged
./AgentInstall.sh AGENT_TYPE=cloud_agent AGENT_REGISTRATION_KEY=************************* AGENT_BASE_DIR=/u01/app/oracle/tools/paas/state/homes/oracle/omc_cloud_agent  -staged

 

Adding the entities

Oracle provides JSON files for every type of environment which you can use to add your environment specifics to OMC, my example for JCS:

{
    "entities":
[
{
        "name":"QJCS01_server_1",
        "type":"omc_weblogic_j2eeserver",
        "displayName":"QJCS01 Managed Server 1 ",
        "timezoneRegion":"CET",
        "properties":{
                "host_name":
                        {"displayName":"Weblogic Host","value":"qjcs01-wls-1.compute-gse00003036.oraclecloud.internal"},
                "domain_home":
                        {"displayName":"Domain Home","value":"/u01/data/domains/QJCS01_domain"},
                "listen_port":
                        {"displayName":"Listen Port","value":"9073"},
                "listen_port_enabled":
                        {"displayName":"Listen Port Enabled","value":"true"},
                "ssl_listen_port":
                        {"displayName":"SSL Listen Port","value":"9074"},
"server_names":
{"displayName":"Server Names","value":"QJCS01_server_1"}
        },
        "associations":[
                { "assocType":"omc_monitored_by",
                  "sourceEntityName":"QJCS01_d_server_1",
                  "sourceEntityType":"omc_weblogic_j2eeserver",
                  "destEntityName":"QJCS01_domain",
                  "destEntityType":"omc_weblogic_domain"}
        ]
}
]

Together with a JSON credential file you can add all to OMC:

u01/app/oracle/tools/paas/state/homes/oracle/omc_cloud_agent/agent_inst/bin/omcli add_entity agent /u01/app/oracle/tools/paas/state/homes/oracle/omc_cloud_agent/my_entities/qjcs01_domain.json -credential_file cred.json

 

I repeated these steps for my Database and Traffic Director, using their specific JSON files.

 

After adding the entities, you need to provision the APM agent using the script from your APM stage directory:

./ProvisionApmJavaAsAgent.sh -d /u01/data/domains/QJCS01_domain -no-wallet

 

And add  the APM jars to the domain, in the startWebLogic.sh( and restart the WebLogic domain)

 

JAVA_OPTIONS="${JAVA_OPTIONS} -javaagent:${DOMAIN_HOME}/apmagent/lib/system/ApmAgentInstrumentation.jar"
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS}"

 

If all goes OK, you can see your agents being registered in OMC:

 

Now the basic steps are finished. As you click through the OMC, loads of information is already generated from your JCS instance

 

Log Analytics - detect a pattern

 

Now a simple use case: I wanted to discover if users try either unauthenticated(HTTP 401) or unauthorized(HTTP403) access a webapplication. I deployed a simple web application, and some users with different roles, to be able to test with it.

Some users had more permissions than others, so I could test between them.

Second, I wanted a huge load of performing these actions:

  • Accessing the webpage, try to login and do some action ( legal or illegal ).
  • Or try to login with a wrong password

 

For this I created a simple JMeter script to access the webpage and login, and the action within the session, which was an task to close an office, which was only permitted with someone with the managers role

 

I let this script run continuously, to generate the data I needed

 

 

Using  log analytics

A first step to make use of log analytics is that I analyzed the access logs, which gave a clear view of the loads of HTTP 401 and 403 errors.

Now these can happen on every website, and there should be nothing to worry about, but in this case,  a large volume of these errors passed, so this cannot be a mistake or a human error,

I clicked on the log analytics, selected the WebLogic domain which runs in the cloud, and selected in the pie chart the access logs

Then, In the left tab, the field Security Result

 

 

Note that denied count is very high. Next step was to save this search, and very cool was that I could create an alert out of it.

 

And I recieved a mailt with this specific alert, and one at the time the JMeter test had stopped, as that the alert had been cleared

 

Now this is a very first basic step I used OMC to detect hostile actions, so next time I will dive more deeper into all the great features!