Install additional software components on Amazon RDS Custom for Oracle

by Jobin Joseph | on

Amazon Relational Database Service (Amazon RDS) Custom is a managed database service that provides the flexibility to customize your database, underlying server, and operating system configurations needed to support applications that require more control than what a typical managed relational database service provides. Amazon RDS Custom for Oracle is built for legacy, custom, packaged applications, and applications that require access to the underlying OS and DB environment.

When an RDS Custom for Oracle instance is provisioned, it comes with a database environment that consists mainly of database binaries, a starter database, and a database listener. For certain workloads, you may want to install additional software components provided by Oracle or other vendors on the host operating system of the database server.

With the flexibility of Amazon RDS Custom for Oracle, you can customize your database, underlying server, and operating system configurations to support the various requirements of the workload. In this post, we discuss the step-by-step instructions and best practices for installing common software components on Amazon RDS Custom for Oracle without breaking the RDS Custom support perimeter .

Install additional software components and agents

Installation of additional software and agents on the database host might be a requirement to satisfy various application needs or organization standards. Until Amazon RDS Custom was introduced, you had to deploy such workloads as self-managed databases on Amazon Elastic Compute Cloud (Amazon EC2). Amazon RDS Custom for Oracle was launched to address such requirements for workloads that need more access and privileges than what is possible with Amazon RDS for Oracle .

Some of the common requirements that we hear from our customers with regards to the installation of software components on the database host include the following:

  • Install Oracle Enterprise Manager (OEM) Agent on the database host to discover the database instance as a target in Oracle Enterprise Manager Grid Control
  • Install APEX Listener on the database host to support the Oracle Application Express (APEX) feature
  • Install an S-TAP agent on the database host as a root user to monitor the database traffic using the Guardium database activity monitoring solution

Best practices to install software components on an RDS Custom for Oracle environment

The following are some of the best practices and guidelines when installing additional software components in the RDS Custom for Oracle environment:

  • The recommended practice to apply database patches is to create a new custom engine version (CEV) with the desired patches and apply the new CEV to the instance. However, when this approach isn’t feasible (for example, an emergency patching scenario), one-off patches may be directly applied on the ORACLE_HOME using the OPatch utility. Optionally, an updated CEV corresponding to the applied patches can be created and applied to the instance later to synchronize ORACLE_HOME and the CEV used by the instance, although the instance has no dependency on the CEV after it’s provisioned.
  • Do not install additional software components under the /rdsdbbin mount point, which is reserved for Oracle Database binaries.
  • It is recommended to install third-party software and agents as a separate OS user. Installing and running software components and agents as the root user is also supported. Software components related to Oracle Database such as OEM Agent and APEX Listener can be installed as the rdsdb user who owns the Oracle Database binaries.
  • Use the /rdsdbdata file system to host additional software components under new directories created on this mount point. Because this file system is included in automated and manual snapshot backups, it’s recommended to remove temporary staging files that are no longer required after successful installation of the software.
  • Configure the software for logs and trace files to be created on the /rdsdbdata file system and implement periodic purging of those files.
  • Tasks can be scheduled to run automatically using crontab or auto start of the tasks, and agents can be configured using systemd .
  • To avoid space pressure on the /mount point, packages can be installed outside the /mount if the installer allows that option for the specific software that is installed. For instance, you can use rpm -ivh --prefix=/rdsdbdata/software_additions to install relocatable packages to the /rdsdbdata mount point.
  • Verify that installing new software components doesn’t break the library dependencies and kernel requirements for the Oracle Database binaries. Refer to the Oracle installation documentation corresponding to the database and OS version for more details. Refer to Supported Oracle Linux 7 Distributions for x86-64 for the details for the 19c database on Oracle Linux 7.
  • Monitor RDS Custom for Oracle Elastic Block Store (EBS) mount points such as data volume ( /rdsdbdata ), binary volume ( /rdsdbbin ), and root volume ( / ), as discussed in Monitor Amazon RDS Custom for Oracle with Amazon CloudWatch metrics , to verify that the installation and configuration of the software components doesn’t exhaust the space available on those volumes.
  • It is recommended to pause and resume automation before and after the installation of additional software components on an RDS Custom for Oracle instance. This is to verify that the root volume gets backed up (during resume automation) after the software installation and restore activities including scale compute can use the latest image of the operating system.

In this post, we also discuss the high-level steps to install Oracle APEX, the Guardium S-TAP agent, and OEM Agent on the host operating system of an RDS Custom for Oracle instance. The steps discussed here are for reference to provide an overview of the installation process in an RDS Custom for Oracle environment. Refer to the official documentation published by the vendors for detailed instructions for installing a specific version of those software components.

An OS login is needed for performing different activities involved in the installation process. Refer to Connecting to your RDS Custom DB instance using SSH or Connecting to your RDS Custom DB instance using Amazon Web Services Systems Manager to choose your preferred connectivity to the RDS Custom for Oracle instance.

For installing software components on multiple RDS Custom for Oracle instances, the installation process can be simplified using Amazon Web Services Systems Manager documents. Refer to Automate tasks in Amazon RDS Custom for Oracle using Amazon Web Services Systems Manager documents for details.

Install APEX Listener on an RDS Custom for Oracle environment

The steps detailed here are only for reference to show how installation can be done on an RDS Custom for Oracle environment. Refer to Downloading and Installing Oracle APEX for detailed instructions on downloading and installing Oracle APEX depending on the APEX version.

The Oracle APEX architecture requires a webserver to proxy the requests between a browser and the APEX engine. Oracle REST Data Services (ORDS) meets this requirement, and this webserver component can be hosted on the database server or on a different EC2 instance that has connectivity to the RDS Custom for Oracle instance. The steps listed here are for installing the ORDS component on the same RDS Custom for Oracle instance that hosts the database component.

  1. Pause RDS Custom automation
  2. Download and install Oracle APEX (for this post, we installed APEX version 22, which can be downloaded from download.oracle.com ).
  • Create a directory named software_addons in the /rdsdbdata mount point to host the additional software components and set the appropriate permissions:
root>mkdir -p /rdsdbdata/sofware_addons
root>chmod a+w /rdsdbdata/sofware_addons
  • Download the APEX installation file and install the APEX component in the database:
rdsdb>cd /rdsdbdata/sofware_addons
mkdir apex
cd apex
wget https://download.oracle.com/otn_software/apex/apex_22.1.zip
unzip apex_22.1.zip
cd /rdsdbdata/sofware_addons/apex/apex

sqlplus "/ as sysdba"
-- Install APEX full development environment.
SQL>@apexins.sql SYSAUX SYSAUX TEMP /i/

-- Exit and reconnect as sysdba
sqlplus "/ as sysdba"
-- Create Administrator account
SQL>@apxchpwd.sql

Exit and reconnect as sysdba 
SQL>ALTER USER APEX_PUBLIC_USER IDENTIFIED BY <password> account unlock;

Configure RESTful services
SQL>@apex_rest_config.sql
  1. Download and install ORDS (see Downloading and Installing Oracle REST Data Services for detailed installation steps):
rdsdb>
mkdir -p /rdsdbdata/sofware_addons/apex/ords
cd /rdsdbdata/sofware_addons/apex/ords
wget https://download.oracle.com/otn_software/java/ords/ords-latest.zip

unzip ords-latest.zip
cp -rp /rdsdbdata/sofware_addons/apex/apex/images/ .
  1. Download Java 11 or higher version as required by ORDS:
rdsdb>mkdir -p /rdsdbdata/sofware_addons/java11
cd /rdsdbdata/sofware_addons/java11
tar zxvf  jdk-11.0.17_linux-x64_bin.tar.gz

As per the Oracle blog post Oracle APEX and ORDS now under the Oracle Free Use Terms and Conditions license , APEX and ORDS do not require additional licensing. Verify your license terms and conditions with Oracle to confirm the licensing implications of using JRE for ORDS.

  1. Provide ORDS installation privileges to the ADMIN user:
rdsdb>sqlplus / as sysdba

SQL>@/rdsdbdata/sofware_addons/apex/ords/scripts/installer/ords_installer_privileges.sql ADMIN
  1. Prepare an environment file to set PATH for Java and ORDS binaries:
cat ords.env
export PATH=/rdsdbdata/sofware_addons/java11/jdk-11.0.17/bin:$PATH:/rdsdbdata/sofware_addons/apex/ords/bin

. ords.env

  1. Configure and start ORDS (for more information, refer to Downloading ORDS ):
ords --config /rdsdbdata/sofware_addons/apex/ords/config install

Once the installation is completed you can check the APEX using a browser or wget.

wget localhost:8080
if you get the following message then remove the line “<entry key="security.requestValidationFunction">ords_util.authorize_plsql_gateway</entry>” from /rdsdbdata/sofware_addons/apex/ords/config/databases/default/pool.xml and restart ORDS.

HTTP request sent, awaiting response... 404 Not Found
2022-11-09 04:04:06 ERROR 404: Not Found.


rdsdb>ords  --config /rdsdbdata/sofware_addons/apex/ords/config serve

rdsdb>wget localhost:8080

Reusing existing connection to [localhost]:8080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

You can use systemd to configure auto start of the ORDS component when the EC2 instance reboots.

  1. Resume RDS Custom automation

Install the Guardium S-TAP agent on an RDS Custom for Oracle environment

Guardium is a comprehensive data protection service that enables security teams to automatically analyze what is happening in sensitive data environments like databases. Many customers use Guardium for database activity monitoring, and it requires the S-TAP agent to be installed on the database servers. Guardium S-TAP is a lightweight software agent installed on database servers for data activity monitoring. The information collected by the S-TAP agent is forwarded to the Guardium collector. It is beyond the scope of this post to discuss the detailed installation steps for S-TAP or the features and configurations of the product. Refer to IBM Guardium for further details and architecture of Guardium.

The installation steps for S-TAP on Linux are discussed in detail in Linux-Unix: Installing the S-TAP agent with RPM .

In this section, we highlight the best practices to follow in an RDS Custom for Oracle environment during the installation of the S-TAP agent.

  1. Pause RDS Custom automation
  2. Prepare the installation directories. S-TAP agent gets installed to the /opt/Guardium directory, which can’t be customized. Due to limited space available in the / mount point, it’s recommended to create a guardium directory in the /rdsdbdata/ mount point and create a soft link to /opt/guardium . See the following code:
root>mkdir -p /rdsdbdata/sofware_addons/Guardium/guardium

root>ln -s /rdsdbdata/sofware_addons/Guardium/guardium /opt/guardium

root>cd /rdsdbdata/sofware_addons/Guardium
  1. Install any prerequisites RPM files:
root>yum install ed
  1. Copy the installation RPM to the RDS Custom for Oracle instance to the /rdsdbdata/sofware_addons/Guardium directory and install the S-TAP agent:
root>export NI_ALLOW_MODULE_COMBOS="Y"
root>rpm -i guard-stap-11.5.0.0.113097-1-rhel-7-linux-x86_64.x86_64.rpm
  1. Complete the configuration by running /opt/guardium/bin/guard-config-update , as discussed in Linux-Unix: S-TAP guard-config-update parameters for RPM installation and update .
  2. Auto start the S-TAP agent when the system reboot is automatically configured. Refer to the troubleshooting guide for more details.
  3. Resume RDS Custom automation

Install OEM Agent on an RDS Custom for Oracle environment

Oracle Enterprise Manager (OEM) Management Agent is a software component that monitors targets running on hosts and communicates that information to the middle-tier Oracle Management Service (OMS). For more information, see Overview of Oracle Enterprise Manager Cloud Control 12c and Overview of Oracle Enterprise Manager Cloud Control 13c . To install OEM Agent on RDS Custom for Oracle, see the following steps:

  1. Prepare security group rules and firewall rules to allow required communication between OMS servers and OEM Agent, which will be deployed on the RDS Custom for Oracle instance. Refer to Configuring Enterprise Manager for Firewalls for more details on the ports for communication between them.
  2. Get the agent installation file from OMS.

There are multiple options to install OEM Agent on the RDS Custom for Oracle instance from OMS, as discussed in Installing Oracle Management Agents 13c Release 1 . The example steps here use the emcli get_agentimage option to download the agent deployment file, which can be copied to the RDS Custom for Oracle instance. On the OMS server, run the following code:

./emcli login -username=sysman

./emcli get_supported_platforms
./emcli get_agentimage -destination=/tmp/agentinstaller -platform=”Linux x86-64″
  1. Copy the agent installation file to the RDS Custom for Oracle instance.

You can use SCP to copy to an Amazon Simple Storage Service (Amazon S3) bucket or Amazon Elastic File System (Amazon EFS) integration to copy the installation files to RDS Custom for Oracle instance. For more information about this integration, refer to Integrate Amazon RDS Custom for Oracle with Amazon EFS .

  1. Pause RDS Custom automation
  2. Prepare the environment and install the agent:
rdsdb>mkdir -p /rdsdbdata/software_addons/agent_software
copy the agent installation file to  /rdsdbdata/software_addons/agent_software
  1. Create AGENT HOME:
rdsdb>mkdir -p /rdsdbdata/software_addons/agent_13c
  1. Create the file /rdsdbdata/software_addons/agent/oraInst.loc with the following contents:
inventory_loc=/rdsdbbin/oraInventory
inst_group=rdsdb
  1. Install the agent (modify the configurations to match your environment):
cd /rdsdbdata/software_addons/agent_software

./agentDeploy.sh AGENT_BASE_DIR=/rdsdbdata/software_addons/agent13c \
-force \
-ignorePrereqs \
-invPtrLoc /rdsdbdata/software_addons/agent/oraInst.loc \
AGENT_PORT=3872 \
EM_UPLOAD_PORT=4903 \
OMS_HOST=10.0.2.51 \
ORACLE_HOSTNAME=ip-10-0-3-211 \
AGENT_INSTANCE_HOME=/rdsdbdata/software_addons/agent13c/agent_inst \
AGENT_REGISTRATION_PASSWORD=password \
SCRATCHPATH=/tmp
  1. Run root.sh:
root> sh /rdsdbdata/software_addons/agent13c/agent_13.5.0.0.0/root.sh
  1. After the installation is successfully complete, verify that the agent is healthy:
rdsdb>/rdsdbdata/software_addons/agent13c/agent_inst/bin/emctl status agent
.
.
.
Collection Status                            : Collections enabled
Heartbeat Status                             : Ok
Last attempted heartbeat to OMS              : 2022-11-22 13:48:37
Last successful heartbeat to OMS             : 2022-11-22 13:48:37
Next scheduled heartbeat to OMS              : 2022-11-22 13:49:37

---------------------------------------------------------------
Agent is Running and Ready

/rdsdbdata/software_addons/agent13c/agent_inst/bin/emctl upload agent
Oracle Enterprise Manager Cloud Control 13c Release 5
Copyright (c) 1996, 2021 Oracle Corporation.  All rights reserved.
---------------------------------------------------------------
EMD upload completed successfully

By default, the agent is configured to start automatically using the /etc/init.d/gcstartup script, as discussed in Understanding the Startup Scripts .

  1. Confirm that the host target (the hostname of the RDS Custom for Oracle instance) is visible in OEM.

  1. Add RDS Custom for Oracle instance targets such as database and listener to the OEM using the Amazon RDS console.
  2. Resume RDS Custom automation

Clean up

When the installation of the software components is successfully completed, clean up the installation files and temporary files that are no longer needed for the functioning of the software. This includes files such as apex_22.1.zip, ords-latest.zip, jdk-11.0.17_linux-x64_bin.tar.gz, and guard-stap-11.5.0.0.113097-1-rhel-7-linux-x86_64.x86_64.rpm which were staged for the installation of various components as discussed in this post.

Conclusion

If your workload requires the installation of additional software modules or agents on the database host and a managed service is preferred to run the Oracle Database workload, then Amazon RDS Custom for Oracle is your choice. In this post, we discussed the step-by-step instructions for installing common software components such as OEM Agent, APEX, and the Guardium S-TAP agent on Amazon RDS Custom for Oracle without breaking the support perimeter, and general best practices for software installation on an RDS Custom for Oracle instance.

If you have any comments or questions, leave them in the comments section.


About the authors

Jobin Joseph is a Senior Database Specialist Solution Architect based in Toronto. With a focus on relational database engines, he assists customers in migrating and modernizing their database workloads to Amazon Web Services. He is an Oracle Certified Master with 20 years of experience with Oracle databases.


The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.