Credentials for FlexNet Inventory Scanner Inventory

FlexNet Manager Suite 2023 R1 (On-Premises)

When using FlexNet Inventory Scanner as your inventory-gathering tool, you configure your preferred scheduling tool (such as Microsoft Task Scheduler on Windows, or cron on UNIX-like platforms) to invoke FlexNet Inventory Scanner with the appropriate tracker command line parameters (documented in ndtrack Command Line in the Gathering FlexNet Inventory PDF). Since this invocation is local on the target inventory device, there is no requirement to register any credentials in the Password Manager on any inventory beacon.

The credentials required on the target device vary across platforms.

On Microsoft Windows target devices

For the account to invoke FlexNet Inventory Scanner:
  • The LocalSystem account is recommended.
  • A non-LocalSystem account with administrator privileges is also acceptable. (This means that the account is a member of the Administrators security group in Active Directory.)
    Note: On Microsoft Windows, the tracker does not prevent invocation by an account that has lesser privileges; but you would then need to ensure that such an account had all the required access rights for the kinds of inventory you expected to gather on a target device. Since this is highly dependent on your environment, this approach is unsupported.
  • The chosen account must have read-only access to the Windows Service Control Manager (this allows discovery of Oracle services).
  • It must be a member of the Windows local security group ora_dba (in which context, the LocalSystem account is displayed as NT AUTHORITY\SYSTEM).
  • This account uses local OS authentication to take inventory; which means that the SQLNet.AUTHENTICATION_SERVICES property must be set to (NTS) in the sqlnet.ora file located in the %ORACLE_HOME%\network\admin directory (and be aware that, conversely, disabling OS authentication for your Oracle Database prevents FlexNet Inventory Scanner from gathering inventory from Oracle database instances). By default, Oracle disables OS authentication on Windows platforms.
Operation with Oracle Database 9i is an exceptional case. To collect Oracle 9i inventory on Windows, you must run ndtrack as a non-LocalSystem user account. To do this, ensure that the account has administrator privileges on the target device (that is, is included in the Administrators security group) so that it can collect sufficient hardware inventory information; and then set up your Windows scheduled task to include the following:
  • In the General tab of the Task Scheduler, set the user account name in the field for When running the task, use the following user account.
  • In the Actions tab, set the action to Start a program, and the Program/script: value to
    ndtrack.exe -t machine
    The -t machine option is mandatory in this scenario (in contrast, it is the default when the tracker runs as LocalSystem).

On UNIX-like target devices

FlexNet Inventory Scanner (ndtrack.sh):
  • Must run as root to collect Oracle inventory. If it is run under any other account on UNIX-like systems, the gathering of Oracle inventory is blocked.
    Tip: As always, it makes no difference whether you invoke FlexNet Inventory Scanner (ndtrack.sh) directly as root, or whether you run as another account and use sudo (or similar) to elevate to root before invoking FlexNet Inventory Scanner.
  • May impersonate other trusted accounts with lower privilege levels — as discussed in detail in the Common: Child Processes on UNIX-Like Platforms topic in the Gathering FlexNet Inventory PDF, along with coverage of the following preferences in the co-located ndtrack.ini file that affect the choice of account to impersonate:
    Tip: With neither of the following preferences specified, the default behavior is for the FlexNet Inventory Scanner to impersonate the account currently running the database instance, which is assumed to be a member of the dba group. This is the most straight-forward configuration, with no settings needed. If, instead, you intend to specify the OracleInventoryUser preference, it must be an exact match for any Oracle user name that:
    • Is also an operating system account
    • Has OS authentication enabled (and as well, OS authentication, which defaults to enabled for UNIX-like platforms, must not have been disabled using the SQLNet.AUTHENTICATION_SERVICES property in the sqlnet.ora file located in the %ORACLE_HOME%/network/admin folder)
    • Is a member of oinstall (or equivalent group, granting execute permissions for sqlplus)
    • Is either a current member of the dba group on the UNIX host server; or has adequate permissions for inventory gathering (as outlined in this table).
    OracleInventoryAsSysdba OracleInventoryUser Impersonation Connection/Notes

    True (or omitted)

    Configured

    The account nominated in OracleInventoryUser is impersonated

    Database connection is made as sysdba (and account must be a member of the dba group)

    True (or omitted)

    Not configured

    The account running the database instance is impersonated

    Database connection is made as sysdba

    False

    Configured

    The account nominated in OracleInventoryUser is impersonated

    Database connection is made as that same account (which in addition to the prerequisites above, must be configured with adequate read-only privileges as detailed in Appendix C: Oracle Tables and Views for Oracle Inventory Collection)

    False

    Not configured

    None

    Oracle inventory collection does not proceed
  • The impersonated account may need an environmental variable set within its login profile. This applies only in the case where:
    1. A target Oracle database instance is running on a UNIX platform, and
    2. This account (operating system user) was the one used to start the database instance, and
    3. The start-up specified an ORACLE_HOME path which included a symbolic link.
    This use of the symbolic link can hide the database instance from inventory collection by the installed tracker (ndtrack). Either of the following workarounds may be used to ensure that the local tracker can collect inventory from this database instance (and both workarounds may be implemented together without issue):
    • The account running the database instance (say OSUser4Oracle) may set an environment variable within its login profile specifying the ORACLE_HOME path (including the symbolic link) which was used to start the database instance. To test this setting, the following command should display the correct ORACLE_HOME path:
      su -OSUser4Oracle -c "echo \$ORACLE_HOME"
      Tip: If this environment variable is set for any account on the database server, it is applied to all database instances started by the same account on this server. Any mismatch between the (non-empty) environment variable, and the actual path used to start any of these database instances, prevents the collection of database inventory from the mismatched instance by the locally-installed inventory component (ndtrack). Conversely, you can prevent the environment variable option being used for all accounts on the target Oracle server by setting the UserDefinedOracleHome preference (details of this preference are included in Gathering FlexNet Inventory.
    • You can ensure that the Oracle home specified in the /etc/oratab file represents the ORACLE_HOME path used to start the database instance.

FlexNet Manager Suite (On-Premises)

2023 R1