|Oracle® Enterprise Manager Cloud Control Extensibility Programmer's Reference
12c Release 3 (188.8.131.52)
|PDF · Mobi · ePub|
As part of the target type definition, you can define the types of credentials specific to the plug-in target type. Examples could be the username and password required by the plug-in to connect to a target instance to collect metric data, or to invoke a specific Enterprise Manager job.
The Enterprise Manager credential subsystem enables Enterprise Manager administrators to store credentials, in a secure manner, as preferences or operation credentials. The credentials can then be used to perform different system management activities, such as real-time monitoring, patching, provisioning, and other target administrative operations.
In this release, the credential subsystem supports the storing, accessing, and modifying of fixed number user name/password based credentials as preferred credentials, which other Enterprise Manager subsystems access to build automation solutions. The credential subsystem also supports sudo/powerbroker based impersonation support.
This chapter covers the following:
The following sections describe the concepts associated with credential service integration:
Credential type is the type of authentication supported by a target type. Various authentication schemes are supported, including native agent authentication and SSH. Fore more information, see Understanding Credential Types.
A named credential is a users' authentication information on a system and can be a user name/password, a public key-private key pair, or an X509v3 certificate. For more information, see About Named Credentials.
Authentication Target Type
An authenticating target type is the target type that a credential can authenticate against. For more information, see Authenticating Target Types.
The credential set is a placeholder for a credential and can be used to decouple credentials from the system that uses a credential. For more information, see Overview of Credential Sets
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. For more information, see Using the Credential Store
The credential reference is a way to refer to a credential. For more information, see About the Credential Reference
Credential type is the type of authentication supported by a target type. For example, a host can support a user name/password based authentication, public key authentication, or kerberos authentication. Various authentication schemes are supported, including native agent authentication and SSH.
The native agent authentication scheme employs a user name/password structure, while the SSH Key authentication scheme user a user name/private key/public key structure.
A named credential is a users' authentication information on a system. A named credential can be a user name/password, a public key-private key pair, or an X509v3 certificate. An Enterprise Manager administrator can store these credentials as named entities in Enterprise Manager to use when performing operations like running jobs, patching, and other system management tasks. For example, you can store the user name and password that you want to use for patching as
MyPatchingCreds. You can then later submit a patching job that uses
MyPatchingCreds to patch the production databases.
Named Credentials can be created for the credential types in Enterprise Manager 12c. The most commonly used credential types for host and database target types are described in the following sections.
For more information on named credentials, see the Configuring and Using Target Credentials section in the Oracle Enterprise Manager Cloud Control Security Guide. This can be found at the following location:
Users can create named credentials by providing the username and password for the host. Privilege delegation properties such as run privilege, runas, and profile can also be provided.
SSH Key Credentials
Named credentials of type SSH Key credential can be created by providing the host username, SSH public key, and SSH private key. Privilege delegation properties such as run privilege, runas, and profile can be also be provided.
Named credentials of this type can be created by providing the database username, password, and role.
Database Kerberos Credentials
Named credentials of this type can be created by providing the Kerberos user name and Kerberos password. Database Kerberos credentials can not be used in this release for automation purposes. These can be used only for user interface operations, such as logging in to the database and viewing pages.
Authenticating target type is the target type that a credential can authenticate against. For example, a SQLScript job has a host credential
DBHostCreds that is used to authenticate against the database host. Therefore, the target type for
DBHostCreds is Database Instance and the authenticating target type is Host.
The credential set is a placeholder for a credential. Credential sets can be used to decouple credentials from the system that uses a credential. For example, a patching job can be submitted to use the credential set "Normal Host Credentials" while being executed.
The "Normal Host Credentials" credential set can also be set to the actual named credential. The credential set to named credential mapping for the target can be changed without editing the system that uses the credential.
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. The Enterprise Manager administrator's user name has a logical private credential store. Individual credentials can be identified by credential names. Enterprise Manager administrators can add, edit, and delete named credentials in the credential store.
The credential reference is a way to refer to a credential. There are three ways credentials can be referenced:
The credential is referenced using the name of the credential in the credential store.
The credential is referenced using the credential set name and the target name. The lookup gets the credential associated with the credential set name and target name.
The credential is specified by providing the values of the attributes. This reference does not refer to a credential in the credential store.
Credential metadata is defined within the target type metadata file. See Creating the Target Type Metadata File for details on this file.
All credential metadata for a target type is defined within a
CredentialInfo element. This element in turn contains the following subelements:
CredentialType element that defines the type of credentials to be used to access target instances
CredentialSet element that instantiates an instance of CredentialType
The following shows a basic example defining the credentials required to authenticate with hosts running instances of the target: username and password.
<TargetMetadata> ... <CredentialInfo> <!-- The types of credentials: target host username/password --> <CredentialType NAME="HostCreds"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS">Host Credentials</Label> </Display> <CredentialTypeColumn NAME="HostUserName" IS_KEY="TRUE"> <Display> <Label NLSID="CREDS_HOST_USERNAME">UserName</Label> </Display> </CredentialTypeColumn> <CredentialTypeColumn NAME="HostPassword"> <Display> <Label NLSID="CREDS_HOST_Password">Password</Label> </Display> </CredentialTypeColumn> </CredentialType> <!-- The CredentialSet that creates an instance of CredentialType --> <CredentialSet NAME="HostCredsNormal" CREDENTIAL_TYPE="HostCreds" USAGE="PREFERRED_CRED"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS_NORMAL">Normal Host Credentials</Label> </Display> <CredentialSetColumn TYPE_COLUMN="HostUserName" SET_COLUMN="username"> <Display> <Label NLSID="CREDS_NORMAL_USER">Normal Username</Label> </Display> </CredentialSetColumn> <CredentialSetColumn TYPE_COLUMN="HostPassword" SET_COLUMN="password"> <Display> <Label NLSID="CREDS_NORMAL_PASSWORD">Normal Password</Label> </Display> </CredentialSetColumn> </CredentialSet> <CredentialInfo> ... </TargetMetadata>
The key elements that define credentials are described in the following table:
The root element for the credentials definition. Contains
Contains one or more
Instatiates an instance of the credential set defined in
Subelement of CredentialType. Defines a single credential and maps that credential to its corresponding column in the CredentialType. It includes the following attributes: