Credentials for Direct Collection of Oracle Inventory

FlexNet Manager Suite 2020 R1 (On-Premises)

The accounts and privileges required for direct collection of inventory data from an Oracle database instance are relatively straight-forward. In addition to inventory collection, the entire process must allow for the initial discovery of devices and their database instances to query, and some discovery methods add their own requirements for credentials.

Using network discovery

This method of discovery requires two sets of credentials for discovery.

The first is an account that can be used to log into the target device and probe specified ports to test for the presence of an Oracle Net Listener. This account must be registered in the Password Manager on the inventory beacon responsible for discovery (and subsequent inventory gathering).

Once a device has been discovered, and the Oracle Net Listener is known to exist on that device, the listener must accept a remote connection and status request (that is, remote administration). This request identifies the database instances (services) that the listener knows about. (The listener password is required only for the case of network discovery, since this is the only case that requires a remote administration connection to the listener; in the other cases, the database instances are already identified without this request.) This password must be registered in the secure Password Manager on the inventory beacon that is to complete the discovery and collect the database inventory (only the password is required, and no account name is needed with this listener password.)
Tip: If there are multiple listeners on the Oracle server and these have multiple passwords, each password for listeners you will access must be recorded in the Password Manager. These are not differentiated by any listener identification: the FlexNet Beacon engine simply steps through each listener password in turn until one works.
Note: This method of remote administration of the listener to discover the available Oracle database instances has been barred from Oracle Database version 12c onwards. To use direct inventory gathering with later versions of the database, you must use one of the other discovery methods; and in those alternative discovery methods, the listener's administrative password is not required. (Of course, this is independent of the credentials for inventory gathering, described below, that are required after discovery has been completed.)

Using tnsnames.ora

There are no special credentials required, other than the normal ones to get the tnsnames.ora in place on the inventory beacon (for details see Using tnsnames Discovery with Direct Inventory):
  • If you are manually transferring a tnsnames.ora file from your Oracle server, you need to log in to the inventory beacon with sufficient privileges to access the file path (typically, with administrator privileges)
  • If you are using the OEM adapter, this writes the tnsnames.ora file into the correct location, and the credentials needed for the adapter are covered in the FlexNet Manager Suite Inventory Adapters and Connectors Reference PDF, available through the title page of online help.

Using manually-created discovery device records

No additional credentials are required — an operator in a Role with sufficient privileges to create the records does the data input, and these discovered device records are then utilized automatically when required.

Credentials for inventory gathering

Regardless of the discovery method you use, direct inventory collection proceeds by having the inventory beacon connect to the listener requesting access to each service/database instance (no listener password is required for this request). These connection requests require the service name, the service user account, and the service password for each Oracle database instance. The service user account:
  • Is a member of the OS-specific ORADBA group (the local ora_dba security group on Windows platforms and the dba group on UNIX-like platforms)
  • Has at least read-only permissions for all the tables and views needed for collecting Oracle inventory (listed in Appendix C: Oracle Tables and Views for Oracle Inventory Collection)
  • Has the user name and password registered in the secure Password Manager on the inventory beacon that is to collect inventory from each database instance.
One potentially helpful practice is to use the same set of credentials on all target Oracle servers as a special "audit account". This makes it easier to register a single set of credentials in the Password Managers on all applicable inventory beacons, and to script creation of the account consistently across all your Oracle servers. If you choose to use a common audit account across servers, Flexera provides a script to create and configure this database user. To get this script, log into the Flexera Knowledge Base (https://flexeracommunity.force.com/customer/CCKnowledgeBase, or access through the Support pages of the company website), and search for article Q200934.
Note: The sole purpose of creating this audit user is to collect Oracle inventory. However, FlexNet Manager Suite counts it as a named user while calculating license compliance for Oracle licenses. You can adjust the license consumption for this user to avoid consuming license entitlements. Navigate to the Oracle Instance Properties > Oracle users page for each affected database instance and set the consumption for this user to zero. For more information, see the associated online help.

FlexNet Manager Suite (On-Premises)

2020 R1