Oracle’s documentation of Oracle Enterprise Manager’s ports is very minimal. This short article documents my findings in clarifying each of these ports with Oracle Support. Hopefully by documenting this, companies who are very stringent on security, such as those who deal with compliance, can use this as a reference.
This diagram from the documentation is all I can find, but it only covers the fundamental set of ports that OEM needs.
After working with Oracle Support on clarifying each port, the following are my findings. The ports are divided into 4 major categories:
- Agent and OMS: This is the communication where the targets’ agents upload metrics to OMS.
- Browser and OMS: This is your browser traffic to OMS.
- Internal within OMS: This is communication internal to OMS only.
- OMS and OMR: This is repository traffic from the OMS to the OMR.
- Workstations and OMR: You still need to access the OMR database from your workstations to perform DBA tasks.
OMS=Oracle Management Server (the mid-tier of OEM)
OMR=Oracle Management Repository (the database tier of OEM)
| Recommended Port Range | Chosen Port | Purpose | Initiator | Used? | Comments |
|---|---|---|---|---|---|
| Agent and OMS | |||||
| N/A | 22 | OMS to ssh to target hosts. | OMS | YES | Can be revoked after agent deployment. |
| 3872, 1830-1849 | 3872 | Oracle Management Agent port | OMS | YES | |
| 4889-4898 | 4889 | Enterprise Manager Upload Http port | Agent | NO | Locked by default |
| 1159, 4899-4908 | 4903 | Enterprise Manager Upload Http SSL port | Agent | YES | |
| N/A | 1521 | Oracle Database Port | Agent | YES | This is for OMS to talk to database targets. |
| Browser and OMS | |||||
| N/A | 80 | http | Browser | YES | |
| N/A | 443 | https | Browser | YES | |
| 7101-7200 | 7102 | Admin Server Http SSL port | Browser | YES | |
| 7788-7798 | 7788 | Enterprise Manager Central Console Http port | Browser | NO | Locked by default |
| 7799-7809 | 7802 | Enterprise Manager Central Console Http SSL port | Browser | YES | |
| 9788, 9751-9800 | 9788 | OHS Http port | Browser | NO | |
| 9899, 9851-9900 | 9851 | OHS Http SSL port | Browser | YES | |
| 9701, 9701-9750 | 9701 | BI Publisher Http port | Browser | NO | Locked by default |
| 9801, 9801-9850 | 9803 | BI Publisher Http SSL port | Browser | YES | |
| Internal within OMS | |||||
| 7201-7300 | 7202 | Managed Server Http port | ??? | NO | Rediections between OHS and Weblogic only. |
| 7301-7400 | 7301 | Managed Server Http SSL port | ??? | YES | Rediections between OHS and Weblogic only. |
| 7401-7500 | 7403 | Node Manager Http SSL port | ??? | YES | |
| OMS and OMR | |||||
| N/A | 1521 | Oracle database port | OMS | YES | This port needs to be opened for the hostnames, VIPs, and the SCAN name/IPs. |
| Workstations and OMR | |||||
| N/A | 1521 | Oracle database port | Workstations | YES | This port needs to be opened for the hostnames, VIPs, and the SCAN name/IPs. |
Hi there, Once registered the database in the OEM we have issues with communication between OEM and Agent, when we try to check database activity we got :
IO Error: The Network Adapter could not establish the connection
And we suspect we need to open an additional port but we can not find it yet.
searching some with the process of the agent we found the agent processes use the port 47632
Do you know something about this port?
Hello!
First of all, OEM doesn’t communicate through random ports like that.
Seeing a random port like that, I’m almost certain that this is the sql*net communication after a handoff.
Is there any special setup on the database that OEM is hitting? For example, is it on Windows? Is it using Shared server instead of Dedicated Servers?
In those special setups:
1) the client reaches the listener
2) the listener performs handoff, meaning that it redirects the client connection to a server process.
3) the client and the server process talks through a random port without the listener’s intervention.
Hope this helps,
Brian
Thanks for your answer
And not the server are Linux, both.
And both are dedicated.
I have another question about the ports I need to open.
I am unsure if they should be open both ways in Ingress and Egress, the 1521 and 3872 ports
What do you think?
Definitely open the ports both ways. The network engineers would want to know which way the communication is initiated, as shown in the table I have on the post, but it needs to be bi-directional.
Brian