This chapter describes how to configure Oracle Enterprise Manager Security. Specifically, this chapter contains the following sections:
Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. The goals of Oracle Enterprise Manager security are:
To be sure that only users with the proper privileges have access to critical monitoring and administrative data.
This goal is met by requiring username and password credentials before users can access the Enterprise Manager consoles and appropriate privileges for accessing the critical data.
To be sure that all data transferred between Enterprise Manager components is transferred in a secure manner and that all data gathered by each Oracle Management Agent can be transferred only to the Oracle Management Service for which the Management Agent is configured.
This goal is met by enabling Enterprise Manager Framework Security. Enterprise Manager Framework Security automates the process of securing the Enterprise Manager components installed and configured on your network.
To be sure that sensitive data such as credentials used to access target servers are protected.
This goal is met by Enterprise Manager's encryption support. The sensitive data is encrypted with an emkey. By following the best practice, even the repository owner and the SYSDBA
will not be able to access the sensitive data.
To be sure that access to managed targets is controlled through user authentication and privilege delegation.
This goal is met by configuring the Management Agent with PAM and LDAP for user authentication and using privilege delegation tools like Sudo and PowerBroker.
Grid Control Authentication is the process of determining the validity of the user accessing Enterprise Manager Grid Control. The authentication feature is available across the different user interfaces such as Enterprise Manager Grid Control console and Enterprise Manager Command Line Interface.
The following authentication schemes are available:
Repository-Based Authentication: This is the default authentication option. An Enterprise Manager administrator is also a repository (database) user. By using this option, you can take advantage of all the benefits that this authentication method provides like password control via password profile, enforced password complexity, password life time, number of failed attempts allowed and controls. During the password grace period, the administrator is prompted to change the password but when the password has expired, it must be changed.For more details, refer to Repository-Based Authentication.
SSO-Based Authentication: The single sign-on based authentication provides strengthened and centralized user identity management across the enterprise. After you have configured Enterprise Manager to use the Oracle Application Server Single Sign-On, you can register any single sign-on user as an Enterprise Manager administrator. You can then enter your single sign-on credentials to access the Oracle Enterprise Manager Grid Control console. For more details, refer to Single Sign-On Based Authentication.
Enterprise User Security Based Authentication: The Enterprise User Security (EUS) option enables you to create and store enterprise users and roles for the Oracle database in an LDAP-compliant directory server. Once the repository is configured with EUS, you can configure Enterprise Manager to use EUS as its authentication mechanism as described in Enterprise User Security Based Authentication. You can register any EUS user as an Enterprise Manager administrator.
EUS helps centralize the administration of users and roles across multiple databases. If the managed databases are configured with EUS, the process of logging into these databases is simplified. When you drill down to a managed database, Enterprise Manager will attempt to connect to the database using Enterprise Manager Grid Control credentials. If successful, Enterprise Manager will directly connect you to the database without displaying a login page.
Enterprise Manager Grid Control allows you to create and manage new administrator accounts. Each administrator account includes its own login credentials as well as a set of roles and privileges that are assigned to the account. You can also assign a password profile to the administrator. To create, edit, or view an administrator account:
From Enterprise Manager Grid Control, click Setup.
Click Administrators in the vertical navigation bar.
Click the appropriate task button on the Administrators page. The following screen is displayed:
On this page, you can specify the type of administrator account being created, select the password profile, and the password expiry period. The password cannot be changed by the administrator if the Prevent Password Change checkbox is selected.
If you select the Expire Password Now checkbox, the password for administrator account will be set to an expired state. If the password has expired, when you login the next time, the following screen is displayed and you are prompted to change the password.
Enter your current password and the new password and click Apply. You can now start using Enterprise Manager Grid Control.
If you are currently using Oracle Application Server Single Sign-On to control access and authorization for your enterprise, you can extend those capabilities to the Grid Control Console.
By default, when you navigate to the Grid Control Console, Enterprise Manager displays the Enterprise Manager login page. However, you can configure Enterprise Manager so it uses Oracle Application Server Single Sign-On to authenticate your Grid Control Console users. Instead of seeing the Enterprise Manager login page, Grid Control Console users will see the standard Oracle Application Server Single Sign-On login page. From the login page, administrators can use their Oracle Application Server Single Sign-On credentials to access the Oracle Enterprise Manager 10g Grid Control Console.
Note:
You can configure Enterprise Manager Grid Control to either use Oracle Application Server Single Sign-On or the Enterprise User Security features. You cannot use both options at the same time.
When Enterprise Manager is configured to use Single Sign-On with Server Load Balancer, make sure that the correct monitoring settings have been defined. For details, refer to the chapter on Grid Control Common Configurations.
The following sections describe how to configure Enterprise Manager as an OracleAS Single Sign-On Partner Application:
To register Enterprise Manager as a partner application manually, follow these steps:
Enter the following URL to navigate to the SSO Administration page.
http://sso_host:sso_port/pls/orasso
Login as orcladmin
user and click SSO Administration.
Click Administer Partner Applications and then click Add Partner Application.
Enter the following information on the Add Partner Application page.
Name: <EMPartnerName> Home URL: protocol://em_host:em_port Success URL: protocol://em_host:em_port/osso_login_success Logout URL: protocol://em_host:em_port/osso_logout_success Administrator Email: user@host.com
where host, port, and protocol refer to the EM Host, port and the protocol (http or https) used.
After entering these details, click Edit <EMPartnerName> and enter the following parameters to generate the osso.txt
. Sample values for these parameters are shown below:
sso_server_version: v1.2 cipher_key: <EncryptionKeyValue> site_id: <IDValue> site_token: <TokenValue> login_url: protocol://sso_host:sso_port/pls/orasso/orasso.wwsso_app_admin.ls_login logout_url=protocol://sso_host:sso_port/pls/orasso/orasso.wwsso_app_admin.ls_logout cancel_url=protocol://em_host:em_port sso_timeout_cookie_name=SSO_ID_TIMEOUT sso_timeout_cookie_key=9E231B3C1A3A808A
Enter the following command to generate the osso.conf file:
WEBTIER_HOME/ohs/bin/iasobf osso.txt osso.conf root
Use the osso.conf
file and configure it as necessary using the emctl
command as follows:
emctl config oms sso -ossoconf <ossoconf file> -dasurl <dasurl> [-unsecure] [-sysman_pwd <pwd>] [-domain <domain>]
where:
-ossoconf
is the path to the osso.conf
file
-dasurl
is the URL specifying the host and port for the Delegated Administration Service (DAS). Generally, the DAS host name and port are the same as the host name and port of the Oracle Application Server Single Sign-On server. For example:
http://mgmthost1.acme.com:7777
-unsecure
is used to register the http port with the single sign-on server.
-sysman_pwd
is the sysman user password. If this parameter is not specified, you will be prompted to enter it.
-domain
is the name of the host domain. This parameter needs to be specified if the fully qualified name of the host is not available.
The sample output for this command is shown below:
emctl config oms sso -ossoconf /tmp/osso.conf -dasurl http://somehost.domain.com:7777 Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Enter SYSMAN user password : SSO Configuration done successfully, Please restart OMS.
Restart WebTier and OMS as follows:
emctl stop oms emctl start oms
To remove the single sign-on configuration, run the following command:
emctl config oms sso -remove [-sysman_pwd <pwd>]
where -sysman_pwd
is the sysman repository password.
Example 2-1 Sample Output of the emctl config oms -remove command
emctl config oms sso -remove Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Enter SYSMAN user password : SSO Configuration removed successfully, Please restart OMS. Restart OMS using emctl stop oms emctl start oms
After you have configured Enterprise Manager to use the Single Sign-On logon page, you can register any Single Sign-On user as an Enterprise Manager administrator. You can register single sign-on users using:
Enterprise Manager Grid Control Graphical User Interface
Enterprise Manager Grid Control Command Line Interface
You can use the graphical user interface to register single sign-on users by following these steps:
Go the Enterprise Manager Grid Control Console URL.
For example:
http://mgmthost1.acme.com:7777/em
The browser is redirected to the standard Single Sign-On Logon page.
Enter the credentials for a valid Single Sign-On user.
If the Single Sign-On user is not an Enterprise Manager administrator, the browser is redirected to a modified version of the Enterprise Manager logon page (Figure 2-3).
Log in to Enterprise Manager as a Super Administrator.
Click Setup and then click Administrators to display the Administrators page.
See Also:
"Creating, Editing, and Viewing Administrators" in the Enterprise Manager online HelpBecause Enterprise Manager has been configured to use Single Sign-On, the first page in the Create Administrator wizard now offers you the option of creating an administrator based on a registered Oracle Internet Directory user.
Select Oracle Internet Directory and advance to the next page in the wizard.
Enter the name and e-mail address of the Oracle Internet Directory user, or click the flashlight icon to search for a user name in the Oracle Internet Directory.
Use the rest of the wizard pages to define the roles, system privileges, and other characteristics of the Enterprise Manager administrator and then click Finish.
Enterprise Manager displays a summary page that lists the characteristics of the administrator account.
Click Finish to create the new Enterprise Manager administrator.
The OID user is now included in the list of Enterprise Manager administrators. You can now verify the account by logging out of the Grid Control Console and logging back in using the OID user credentials on the Single Sign-On logon page.
Figure 2-3 Modified Enterprise Manager Logon Page When Configuring SSO
Figure 2-4 Create Administrator Page When SSO Support Is Enabled
s
You can use the following EMCLI command to create Single Sign-On users:
emcli create_user -name=ssouser -type=EXTERNAL_USER
This command creates a user with the name ssouser who is authenticated against the single sign-on user.
Argument | Description |
---|---|
-name | Name of the administrator. |
-type | The type of user. The default value for this parameter is EM_USER. The other possible values are:
|
-password | The password for the administrator. |
-roles | The list of roles that can be granted to this administrator. |
The list of email addresses for this administrator. | |
-privilege | The system privileges that can be granted to the administrator. This option can be specified more than once. |
-profile | The name of the database profile. This is an optional parameter. The default profile used is DEFAULT. |
-desc | The description of the user being added. |
-expired | This parameter is used to set the password to "expired" status. This is an optional parameter and is set to False by default. |
-prevent_change_password | When this parameter is set to True, the user cannot change the password. This is an optional parameter and is set to False by default. |
input_file | This parameter allows the administrator to provide the values for any of these arguments in an input file. The format of value is name_of_argument:file_path_with_file_name . |
Example 1
emcli create_user -name="new_admin" -password="oracle" -email="first.last@oracle.com;joe.shmoe@shmoeshop.com" -roles="public" -privilege="view_job;923470234ABCDFE23018494753091111" -privilege="view_target;<host>.com:host"
This example creates an Enterprise Manager administrator named new_admin. This administrator has two privileges: the ability to view the job with ID 923470234ABCDFE23018494753091111
and the ability to view the target <host>.com:host
. The administrator new_admin
is granted the PUBLIC role.
Example 2
emcli create_user -name="User1" -type="EXTERNAL_USER" -input_file="privilege:/home/user1/priv_file" Contents of priv_file are: view_target;<host>.com:host
This example makes user1
which has been created externally as an Enterprise Manager user. user1
will have view privileges on <host>.com:host
.
Example 3
emcli create_user -name="User1" -desc="This is temp hire." -prevent_change_password="true" -profile="MGMT_ADMIN_USER_PROFILE
This example sets user1
as an Enterprise Manager user with some description. The prevent_change_password
is set to true to indicate that the password cannot be changed by user1
and the profile
is set to MGMT_ADMIN_USER_PROFILE
.
Example 4
emcli create_user -name="User1" -desc="This is temp hire." -expire="true"
This example sets user1
as an Enterprise Manager with some description. Since the password is set to expire immediately, when the user logs in for the first time, he is prompted to change the password.
The emctl config oms sso
command adds the Oracle Enterprise Manager Grid Control Console as an Oracle Application Server Single Sign-On partner application. Partner applications are those applications that have delegated authentication to the Oracle Application Server Single Sign-On Server.
To see the list of partner applications, navigate to the following URL:
http://hostname:port/pls/orasso/orasso.home
For example:
http://ssohost1.acme.com:7777/pls/orasso/orasso.home
After you configure Enterprise Manager to use the Single Sign-On logon page, you can bypass the Single Sign-On page at any time and go directly to the Enterprise Manager logon page by entering the following URL:
http://hostname.domain:port/em/console/logon/logon
For example:
http://mgmthost1.acme.com:7777/em/console/logon/logon
Enterprise User Security enables you to create and store Oracle database information as directory objects in an LDAP-compliant directory server. For example, an administrator can create and store enterprise users and roles for the Oracle database in the directory, which helps centralize t
he administration of users and roles across multiple databases.
See Also:
Enterprise User Security Configuration Tasks and Troubleshooting in the Oracle Database Advanced Security Administrator's GuideIf you currently use Enterprise User Security for all your Oracle databases, you can extend this feature to Enterprise Manager. Configuring Enterprise Manager for use with Enterprise User Security simplifies the process of logging in to database targets you are managing with the Oracle Enterprise Manager Grid Control Console.
To configure Enterprise Manager for use with Enterprise User Security:
Ensure that you have enabled Enterprise User Security for your Oracle Management Repository database, as well as the database targets you will be managing with the Grid Control Console. Refer to Oracle Database Advanced Security Administrator's Guide for details.
Using the emctl set property
command, set the following properties:
oracle.sysman.emSDK.sec.DirectoryAuthenticationType=EnterpriseUser oracle.sysman.emSDK.sec.eus.Domain=<ClientDomainName> (For example:mydomain.com) oracle.sysman.emSDK.sec.eus.DASHostUrl=<das_url> (For example: oracle.sysman.emSDK.sec.eus.DASHostUrl=http://my.dashost.com:7777 )
For example:
emctl set property -name oracle.sysman.emSDK.sec.DirectoryAuthenticationType -value EnterpriseUser
Change directory to the ORACLE_HOME/sysman/config
directory and open the emoms.properties
file with your favorite text editor.
Add the following entries in the emoms.properties
file:
oracle.sysman.emSDK.sec.DirectoryAuthenticationType=EnterpriseUser oracle.sysman.emSDK.sec.eus.Domain=<ClientDomainName> (For example: mydomain.com) oracle.sysman.emSDK.sec.eus.DASHostUrl=<das_url> (For example: oracle.sysman.emSDK.sec.eus.DASHostUrl=http://my.dashost.com:7777 )
Save and close the emoms.properties
file.
Stop the Oracle Management Service.
Start the Management Service.
The next time you use the Oracle Enterprise Manager Grid Control Console to drill down to a managed database, Enterprise Manager will attempt to connect to the database using Enterprise User Security. If successful, Enterprise Manager will connect you to the database without displaying a login page. If the attempt to use Enterprise User Security fails, Enterprise Manager will prompt you for the database credentials.
After you have configured Enterprise Manager to use Enterprise Users, you can register existing enterprise users as Enterprise Manager Users and grant them the necessary privileges so that they can manage Enterprise Manager effectively.
You can register existing enterprise users by using:
Enterprise Manager Grid Control Graphic User Interface
Enterprise Manager Command Line Interface
You can use the graphical user interface to register enterprise users by following these steps:
Log into Enterprise Manager as a Super Administrator.
Click Setup and then click Administrators to display the Administrators page. Since Enterprise Manager has been configured to use Enterprise Users, the first page of the Create Administrator wizard will provide the option to create an administrator based on a registered Oracle Internet Directory user or a normal database user.
Select Oracle Internet Directory and click Continue to go to the next page in the wizard.
Enter the name and e-mail address of the Oracle Internet Directory user or click the flashlight icon to search for a user name in the Oracle Internet Directory.
Use the rest of the wizard pages to define the roles, system privileges, and other characteristics of the Enterprise Manager administrator and then click Finish. Enterprise Manager displays a summary page that lists the characteristics of the administrator account.
Click Finish to create the new Enterprise Manager administrator.
The OID user is now included in the list of Enterprise Manager administrators. You can now verify the account by logging out of the Grid Control Console and logging back in using the OID user credentials on the Single Sign-On logon page.
To register Enterprise Users as Enterprise Manager users using EMCLI, enter the following command:
emcli create_user -name=eususer -type=DB_EXTERNAL_USER
This command registers the eususer
as an Enterprise Manager user where eususer
is an existing Enterprise User. For more details, refer to Registering Single Sign-On Users Using EMCLI.
System security is a major concern of any corporation. Giving the same level of access to all systems to all administrators is dangerous, but individually granting access to tens, hundreds, or even thousands of targets to every new member of the group is time consuming. With Enterprise Manager's administrator privileges and roles feature, this task can be performed within seconds, instead of hours. Authorization controls the access to the secure resources managed by Enterprise Manager via system, target, and object level privileges and roles.
This section describes Enterprise Manager's Authorization model including user classes, roles, and privileges assigned to each user class. The following topics are described:
Classes of Users
Privileges and Roles
Oracle Enterprise Manager supports different classes of Oracle users, depending upon the environment you are managing and the context in which you are using Oracle Enterprise Manager Grid Control.
The Enterprise Manager administrators you create and manage in the Grid Control Console are granted privileges and roles to log in to the Grid Control Console and to manage specific target types and to perform specific management tasks. The default super administrator for the Grid Control Console is the SYSMAN user, which is a database user associated with the Oracle Management Repository. You define the password for the SYSMAN account during the Enterprise Manager installation procedure.
By restricting access to privileged users and providing tools to secure communications between Oracle Enterprise Manager 11g components, Enterprise Manager protects critical information in the Oracle Management Repository.
The Management Repository contains management data that Enterprise Manager Grid Control uses to help you monitor the performance and availability of your entire enterprise. This data provides you with information about the types of hardware and software you have deployed, as well as the historical performance and specific characteristics of the applications, databases, applications servers, and other targets that you manage. The Management Repository also contains information about the Enterprise Manager administrators who have the privileges to access the management data.
You can create and manage Enterprise Manager administrator accounts. Each administrator account includes its own login credentials, as well as a set of roles and privileges that are assigned to the account. There are three administrator access categories:
Super Administrator: Powerful Enterprise Manager administrator with full access privileges to all targets and administrator accounts within the Enterprise Manager environment. The Super Administrator, SYSMAN is created by default when Enterprise Manager is installed. The Super Administrator can create other administrator accounts.
Administrator: Regular Enterprise Manager administrator.
Repository Owner: Database administrator for the Management Repository. This account cannot be modified, duplicated, or deleted.
The types of management tasks that the administrator can perform and targets that he can access depends on the roles, system privileges, and target privileges that he is granted. The Super Administrator can choose to let certain administrators perform only certain management tasks, or access only certain targets, or perform certain management tasks on certain targets. In this way, the Super Administrator can divide the workload among his administrators.
User privileges provide a basic level of security in Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.
When Enterprise Manager is installed, the SYSMAN user (super administrator) is created by default. The SYSMAN Super Administrator then creates other administrator accounts for daily administration work. The SYSMAN account should only be used to perform infrequent system wide, global configuration tasks.The Super Administrator divides workload among his administrators by filtering target access, or filtering access to management task, or both through the roles, System Privileges, and Target Privileges he grants them. For example, he can allow some administrators to view any target and to add any target in the enterprise and other administrators to only perform specific operations such as maintaining and cloning on a target for which they are responsible.
A role is a collection of Enterprise Manager system privileges, or target privileges, or both, which you can grant to administrators or to other roles. These roles can be based upon geographic location (for example, a role for Canadian administrators to manage Canadian systems), line of business (for example, a role for administrators of the human resource systems or the sales systems), or any other model. Administrators do not want to perform the task of individually granting access to tens, hundreds, or even thousands of targets to every new member of their group.By creating roles, an administrator needs only to assign the role that includes all the appropriate privileges to his team members instead of having to grant many individual privileges. He can divide workload among his administrators by filtering target access, or filtering access to management task, or both.
Public Role: Enterprise Manager creates one role by default called Public. This role is unique in that it is automatically assigned to all new non-super administrators when they are created. By default it has no privileges assigned to it. The Public role should be used to define default privileges you expect to assign to a majority of non-super administrators you create. Privileges need not be assigned to Public initially - they can be added at any time. The role may be deleted if your enterprise does not wish to use it. If deleted, it can be added back in later if you later decide to implement it.
A privilege is a right to perform management actions within Enterprise Manager. Privileges can be divided into three categories:
System Privileges
Target Privileges
Object Privileges
System Privileges: These privileges allow a user to perform system wide operations. To set the System Privileges, click the Setup link to navigate to the Setup Overview page and click on the Administrators option in the left panel. Select an administrator from the list and click Edit. The Edit Administrator wizard is displayed. Click Next to navigate through the wizard to see the System Privileges page:
System Privilege | Description |
---|---|
USE ANY BEACON |
Allows the administrator to use any Beacon on any monitored host to monitor transactions, URLs, and network components. |
ADD ANY TARGET |
Allows the administrator to add any target to Enterprise Manager for monitoring, administration and management. |
VIEW ANY TARGET |
Allows the administrator to view any target on the system, including Oracle Management Agents and Management Services.Whenever the |
CREATE PRIVILEGE PROPAGATING GROUP |
Allows the administrator to create privilege propagating groups. Privileges granted to such groups will be automatically granted to all members of the group. |
MONITOR ENTERPRISE MANAGER |
Allows the administrator to monitor the availability and performance of Enterprise Manager itself, and grants the administrator access to the following targets: the database used for the Management Repository, the Management Service and Management Repository, and all Oracle Management Agents in the global enterprise. |
PUBLISH REPORT |
Allows the administrator to publish reports for public use. |
JVM Diagnostics Administrator |
Allows the administrator to manage JVM Diagnostics operations. |
JVM Diagnostics User |
Allows the user to view JVM Diagnostics data. |
Request Monitoring Administrator |
Allows the user to manage E2E administrator operations. |
Request Monitoring User |
Allows the user to view E2E data. |
Select the check box to select the system privilege to be granted to the administrator and click Next. The Target Privileges page is displayed.
Target Privileges: These privileges allow an administrator to perform operations on a target. The Target Privileges page shows a list of targets for which privileges can be granted. Select a target from the list and click the pencil icon in the Privilege column. The following screen is displayed.
Select the check box to specify the privileges that are to be granted and click Continue. For more details on setting these privileges, see the Enterprise Manager Online Help.
Note:
If a target has certain privileges, *** need info ***Target Privilege | Description |
---|---|
FULL |
Implicitly grants all the target privileges and allows the administrator to delete the target from the Enterprise Manager system. |
OPERATOR |
Allows the administrator to perform normal administrative operations on a target such as configure a blackout, or edit the properties. |
BLACKOUT TARGET |
Allows the administrator to create, edit, schedule, and stop blackout on a target. |
MANAGE TARGET ALERTS |
Allows the administrator to clear stateless alerts, manually re-evaluate alerts and acknowledge alerts for the target. |
CONFIGURE TARGET |
Allows the administrator to edit target properties and modify monitoring configurations. |
MANAGE TARGET METRICS |
Allows the administrator to edit thresholds for metric and policy settings, apply monitoring templates and manage user defined metrics. |
VIEW |
Allows the administrator to view properties, inventory and monitor information about a target. |
Object Privileges: These privileges allow an administrator to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects.
Target Privilege | Description |
---|---|
VIEW JOB |
Provides the administrator with the ability to view the job and its definition. |
FULL JOB |
Provides the administrator with the ability to view, edit, submit, and delete the job. |
VIEW REPORT |
Provides the administrator with the ability to view the report. |
VIEW TEMPLATE |
The ability to view the template definition. |
FULL TEMPLATE |
The ability to edit the template definition. |
This section contains the following topics:
Overview of the Steps Required to Enable Enterprise Manager Framework Security
Enabling Security with Multiple Management Service Installations
Enterprise Manager Framework Security provides safe and secure communication channels between the components of Enterprise Manager. For example, Framework Security provides secure connections between your Oracle Management Service and its Management Agents.
See Also:
Oracle Enterprise Manager Concepts for an overview of Enterprise Manager componentsThe following figure shows how Enterprise Manager Framework Security provides security for the connections between the Enterprise Manager components.
Enterprise Manager Framework Security implements the following types of secure connections between the Enterprise Manager components:
HTTPS and Public Key Infrastructure (PKI) components, including signed digital certificates, for communications between the Management Service and the Management Agents.
See Also:
Oracle Security Overview for an overview of Public Key Infrastructure features, such as digital certificates and public keysOracle Advanced Security for communications between the Management Service and the Management Repository.
See Also:
Oracle Database Advanced Security Administrator's GuideTo enable Enterprise Manager Framework Security, you must configure each of the Enterprise Manager components in a specific order. The following list outlines the process for securing the Management Service and the Management Agents that upload data to the Management Service:
Note:
The Enterprise Manager components are configured during installation. You can use the following commands if you want to reconfigure any of the components.Use the emctl stop oms
command to stop the OMS and the WebTier.
Use emctl secure oms
to enable security for the Management Service.
Restart the OMS and the WebTier using the emctl start oms
command.
For each Management Agent, stop the Management Agent, use the emctl secure agent
command to enable security for the Management Agent, and restart the Management Agent.
After security is enabled for all the Management Agents, use the emctl secure lock
command to restrict HTTP Access to the Management Service. This will ensure that Management Agents for which security has not been enabled will not be able upload data to the Management Service.
The following sections describe how to perform each of these steps in more detail.
Note:
To resolve errors fromemctl secure
operations, refer to EM_INSTANCE_HOME/sysman/log/secure.log
for more details.To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms
utility, which is located in the following subdirectory of the Management Service home directory:
ORACLE_HOME/bin
The emctl secure oms
utility performs the following actions:
Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Agents.
Modifies your WebTier to enable an HTTPS channel between your Management Service and Management Agents, independent from any existing HTTPS configuration that may be present in your WebTier.
Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.
To run the emctl secure oms
utility you must first choose an Agent Registration Password. The Agent Registration password is used to validate that future installation sessions of Oracle Management Agents and Oracle Management Services are authorized to load their data into this Enterprise Manager installation.
To enable Enterprise Manager Framework Security for the Oracle Management Service:
Stop the Management Service, the WebTier, and the other application server components using the following command:
OMS_ORACLE_HOME/bin/emctl stop oms
Enter the following command:
OMS_ORACLE_HOME/bin/emctl secure oms
You will be prompted for the Enterprise Manager Root Password. Enter the SYSMAN
password.
You will be prompted for the Agent Registration Password, which is the password required for any Management Agent attempting to secure with the Management Service. Specify an Agent Registration Password for the Management Service.
When the operation is complete, restart the WebLogic Server and the deployed Enterprise Manager application.
OMS_ORACLE_HOME/bin/emctl start oms
After the Management Service restarts, test the secure connection to the Management Service by browsing to the following secure URL using the HTTPS protocol:
https://hostname.domain:https_upload_port/em
For example:
https://mgmthost1.acme.com:1159/em
If the Management Service security has been enabled, your browser displays the Enterprise Manager Login page.
Note:
The 1159 port number is the default secure port used by the Management Agents to upload data to the Management Service. This port number may vary if the default port is unavailable.Example 2-2 Sample Output of the emctl secure oms Command
emctl secure oms Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Securing OMS... Started.Securing OMS... Successful
Alternatively, you can enter the emctl secure oms
command all on one line, but if you enter the command on one line, the passwords you enter will be displayed on the screen as you type the command.
Example 2-3 Usage of the emctl secure oms Command (II)
emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>] [-host <hostname>] [-slb_port <slb port>] [-slb_console_port <slb console port>] [-reset] [-console] [-lock] [-lock_console] [-secure_port <secure_port>] [-upload_http_port <upload_http_port>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>] [-wallet <wallet_loc> -trust_certs_loc <certs_loc>] [-wallet_pwd <pwd>] [-key_strength <strength>] [-cert_validity <validity>] [-protocol <protocol>] Valid values for <protocol> are the allowed values for Apache's SSLProtocol directive
The parameters are explained below:
sysman_pwd
- Oracle Management Repository user password.
reg_pwd
- The Management Agent registration password.
host
- The host name to be used in the certificate used by the Oracle Management Service. You may need to use the SLB host name if there is an SLB before the Management Service.
reset
- A new certificate authority will be created. All the Agents and Oracle Management Services need to be resecured.
secure_port
- The port to be used for secure communication.
upload_http_port
- The port used for unsecure upload communications.
slb_port
- This parameter is required when Server Load Balancer is used. It specifies the secure upload port configured in the Server Load Balancer.
slb_console_port
- This parameter is required when Server Load Balancer is used. It specifies the secure console port configured in the Server Load Balancer.
root_dc
- The domain component used in the root certificate. The default value is com.
root_country
- The country to be used in the root certificate. The default value is US.
root_state
- The state to be used in the root certificate. The default value is CA.
root_loc
- The location to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_org
- The organization name to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_unit
- The organizational unit to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_email
- The email address to be used in the root certificate. The default value is EnterpriseManager@<hostname>.
wallet
: This is the location of the wallet containing the third party certificate. This parameter should be specified while configuring third party certificates.
trust_certs_loc
- The location of the trusted_certs.txt
(required when third party certificates are used).
key_strength
: The strength of the key to be used. Valid values are 512, 1024, 2048, and 4096.
cert_validity
: The number of days for which the self-signed certificate is valid. The valid range is between 1 to 3650.
protocol
: This parameter is used to configure Oracle Management Service in TLSv1-only or SSLv3-only or mixed mode (default). Valid values are the allowed values as per Apache's SSLProtocol directive.
Note:
Thekey_strength
and cert_validity
parameters are applicable only when the -wallet
option is not used.You can check whether security has been enabled for the Management Service by entering the emctl
status
oms
-secure
command.
Example 2-4 Sample Output of the emctl status oms -details Command
emctl status oms -details [-sysman_pwd <pwd>] Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : omshost.mydomain.com HTTP Console Port : 7788 HTTPS Console Port : 7799 HTTP Upload Port : 4889 HTTPS Upload Port : 1159 OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1
You may need to create a new Certificate Authority (CA) if the current CA is expiring or if you want to change the key strength. A unique identifier is assigned to each CA. For instance, the CA created during installation may have an identifier as ID 1, subsequent CAs will have the IDs 2,3, and so on. At any given time, the last created CA is active and issues certificates for OMSs and Agents.
Example 2-5 Creating a New Certificate Authority
emctl secure createca [-sysman_pwd <pwd>] [-host <hostname>] [-key_strength<strength>] [-cert_validity <validity>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>] Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Creating CA... Started. Successfully created CA with ID 2
Example 2-6 Viewing Information about a Certificate Authority
emcli get_ca_info -ca_id="1;2" -details Info about CA with ID: 1 CA is not configured DN: CN=myhost.mydomain.com, C=US Serial# : 3423643907115516586 Valid From: Tue Mar 16 11:06:20 PDT 2010 Valid Till: Sat Mar 14 11:06:20 PDT 2020 Number of Agents registered with CA ID 1 is 1 myhost.mydomain.com:3872 Info about CA with ID: 2 CA is configured DN: CN=myhost.mydomain.com, C=US, ST=CA Serial# : 1182646629511862286 Valid From: Fri Mar 19 05:17:15 PDT 2010 Valid Till: Tue Mar 17 05:17:15 PDT 2020 There are no Agents registered with CA ID 2
Note:
The WebLogic Administrator and Node Manager passwords are stored in the Administration Credentials Wallet. This is present in theEM_INSTANCE_HOME/sysman/config/adminCredsWallet
directory. To recreate Administrator Credentials wallet, run the following command on each machine on which the Management Service is running:
emctl secure create_admin_creds_wallet [-admin_pwd <pwd>] [-nodemgr_pwd <pwd>]
To view the security status and OMS port information, use the following command
Example 2-7 emctl status oms -details
$ emctl status oms -details [-sysman_pwd welcome1] Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Console Server Host : myhost.mydomain.com HTTP Console Port : 7788 HTTPS Console Port : 7799 HTTP Upload Port : 4889 HTTPS Upload Port : 1159 OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1
The Oracle Management Service can be configured in the following modes:
TLSv1-only mode: To configure the OMS to use only TLSv1 connections, do the following:
Stop the OMS by entering the following command:
OMS_ORACLE_HOME/bin/emctl stop oms
Enter the following command:
emctl secure oms -protocol TLSv1
Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS
in Domain_Home/bin/startEMServer.sh
. If this property already exists, update the value to TLS1.
Restart the OMS with the following command:
OMS_ORACLE_HOME/bin/emctl start oms
Note:
If the OMS is configured in the TLSv1 only mode, the 10.2.x Agents cannot communicate with the OMS since those Agents do not support the TLS mode.SSLv3 Only Mode: To configure the OMS to use SSLv3 connections only, do the following:
Stop the OMS by entering the following command:
OMS_ORACLE_HOME/bin/emctl stop oms
Enter the following command:
emctl secure oms -protocol SSLv3
Append -Dweblogic.security.SSL.protocolVersion=SSL3 to JAVA_OPTIONS
in Domain_Home/bin/startEMServer.sh
or startEMServer.cmd
on Windows. If this property already exists, update the value to SSL3.
Restart the OMS with the following command:
OMS_ORACLE_HOME/bin/emctl start oms
Mixed Mode: To configure the OMS to use both SSLv3 and TLSv1 connections, do the following:
Stop the OMS by entering the following command:
OMS_ORACLE_HOME/bin/emctl stop oms
Enter the following command:
emctl secure oms
Append -Dweblogic.security.SSL.protocolVersion=ALL to JAVA_OPTIONS
in Domain_Home/bin/startEMServer.sh
. If this property already exists, update the value to ALL
.
Restart the OMS with the following command:
OMS_ORACLE_HOME/bin/emctl start oms
Note:
By default, the OMS is configured to use the Mixed Mode. To configure the Management Agent in TLSv1 only mode, setallowTLSOnly=true
in the emd.properties
file and restart the Agent.When you install the Management Agent on a host, you must identify the Management Service that will be used by the Management Agent. If the Management Service you specify has been configured to take advantage of Enterprise Manager Framework Security, you will be prompted for the Agent Registration Password and Enterprise Manager Framework Security will be enabled for the Management Agent during the installation.
Otherwise, if the Management Service has not been configured for Enterprise Manager Framework Security or if the Registration Password was not specified during installation, then security will not be enabled for the Management Agent. In those cases, you can later enable Enterprise Manager Framework Security for the Management Agent.
To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent
utility, which is located in the following directory of the Management Agent home directory:
AGENT_HOME/bin (UNIX) AGENT_HOME\bin (Windows)
The emctl secure agent
utility performs the following actions:
Obtains an Oracle Wallet from the Management Service that contains a unique digital certificate for the Management Agent. This certificate is required in order for the Management Agent to conduct SSL communication with the secure Management Service.
Obtains an Agent Key for the Management Agent that is registered with the Management Service.
Configures the Management Agent so it is available on your network over HTTPS and so it uses the Management Service HTTPS upload URL for all its communication with the Management Service.
To enable Enterprise Manager Framework Security for the Management Agent:
Ensure that your Management Service and the Management Repository are up and running.
Change directory to the following directory:
AGENT_HOME/bin (UNIX) AGENT_HOME\bin (Windows)
Stop the Management Agent:
emctl stop agent
Enter the following command:
emctl secure agent (UNIX) emctl secure agent (Windows)
The emctl secure agent
utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.
Note:
Alternatively, you can enter the command all on one line, but if you enter the command on one line, the password you enter will be displayed on the screen as you type:emctl secure agent agent_registration_pwd (UNIX) emctl secure agent agent_registration_pwd (Windows)
shows sample output of the emctl secure agent
utility.
Restart the Management Agent:
emctl start agent
Confirm that the Management Agent is secure by checking the Management Agent home page.
Note:
You can also check if the Agent Management is secure by running theemctl status agent -secure
command, or by checking the Agent and Repository URLs in the output of the emctl status agent
command.In the General section of the Management Agent home page (Figure 2-8), the Secure Upload field indicates whether or not Enterprise Manager Framework Security has been enabled for the Management Agent.
See Also:
"Checking the Status of an Oracle Management Agent" in the Enterprise Manager online HelpExample 2-8 Sample Output of the emctl secure agent Utility
emctl secure agent Oracle Enterprise Manager 11g Release 1 Grid Control. Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Securing agent... Started Securing agent... Successful.
Example 2-9 Sample Output of the emctl status agent secure Command
emctl status agent -secure Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. Checking the security status of the Agent at location set in /private/home/oracle/product/102/em/agent10g/sysman/config/emd.properties... Done. Agent is secure at HTTPS Port 3872. Checking the security status of the OMS at http://gridcontrol.oraclecorp.com:4889/em/upload/... Done. OMS is secure on HTTPS Port 4888
If you already have a secure Management Service running and you install an addition7al Management Service that uses the same Management Repository, you will need to enable Enterprise Manager Framework Security for the new Management Service. This task is executed using the same procedure that you used to secure the first Management Service, by running the emctl secure oms
utility.
Because you have already established at least one Agent Registration Password and a Root Key in your Management Repository, they must be used for your new Management Service. Your secure Management Agents can then operate against either Management Service.
All the registration passwords assigned to the current Management Repository are listed on the Registration Passwords page in the Oracle Enterprise Manager 11g Grid Control Console.
If you install a new Management Service that uses a new Management Repository, the new Management Service is considered to be a distinct enterprise. There is no way for the new Management Service to partake in the same security trust relationship as another Management Service that uses a different Management Repository. Secure Management Agents of one Management Service will not be able to operate against the other Management Service.
By default, when you enable Enterprise Manager Framework Security on your Oracle Management Service there are no default restrictions on HTTP access. The Grid Control Console can also be accessed over HTTP and the Oracle Management Agents will be able to upload over HTTP as well as HTTPS.
However, it is important that only secure Management Agent installations that use the Management Service HTTPS channel are able to upload data to your Management Repository and Grid Control console is accessible via HTTPS only.
To restrict access so Management Agents can upload data to the Management Service only over HTTPS:
Stop the Management Service, the WebTier, and the other application server components:
cd ORACLE_HOME/opmn/bin emctl stop oms
Change directory to the following location in the Management Service home:
ORACLE_HOME/bin
Enter the following command to prevent Management Agents from uploading data to the Management Service over HTTP:
emctl secure lock -upload
Note:
To lock the console and prevent HTTP access to the console, enter the following command:
emctl secure lock -console
To lock both, enter either of the following commands:
emctl secure lock or emctl secure lock -upload -console
To lock both the console access and uploads from Agents while enabling security on the Management Service, enter the following command:
emctl secure oms -lock [other options]
Restart the Management Service, the WebTier, and the other application server components:
cd ORACLE_HOME/opmn/bin emctl start oms
Verify that you cannot access the Management Agent upload URL using the HTTP protocol:
For example, navigate to the following URL:
http://hostname.domain:4889/em/upload
You should receive an error message similar to the following:
ForbiddenYou are not authorised to access this resource on the server.
Verify that you can access the Management Agent Upload URL using the HTTPS protocol:
For example, navigate to the following URL:
https://hostname.domain:4888/em/upload
You should receive the following message, which confirms the secure upload port is available to secure Management Agents:
Http XML File receiverHttp Recceiver Servlet active!
To allow the Management Service to accept uploads from unsecure Management Agents, use the following command:
emctl secure unlock -upload
Note:
To unlock the console and allow HTTP access to the console, enter the following command:
emctl secure unlock -console
To unlock both, enter either of the following command:
emctl secure unlock emctl secur unlock -console -upload
Example 2-10 Sample Output of the emctl secure lock Command
emctl secure lock Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. OMS Console is locked. Access the console over HTTPS ports. Agent Upload is locked. Agents must be secure and upload over HTTPS port.
Example 2-11 Sample Output of the emctl secure unlock Command
emctl secure unlock Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. OMS Console is unlocked. HTTP ports too can be used to access console. Agent Upload is unlocked. Unsecure Agents may upload over HTTP.
To restrict HTTP access to the Oracle Enterprise Manager 11g Grid Control Console, use the emctl secure lock -console
command.
Enterprise Manager uses the Agent Registration password to validate that installations of Oracle Management Agents are authorized to load their data into the Oracle Management Service.
The Agent Registration password is created during installation when security is enabled for the Oracle Management Service.
Note:
To avoid new Agents from being registered with the Oracle Management Service, you must delete all registration passwords.You can use the Grid Control Console to manage your existing registration passwords or create additional registration passwords:
Click Setup at the top of any Grid Control Console page.
Click Registration Passwords.
Enterprise Manager displays the Registration Passwords page (Figure 2-9). The registration password you created when you ran the emctl secure oms
command appears in the Registration Passwords table.
Use the Registration Passwords page to change your registration password, create additional registration passwords, or remove registration passwords associated with the current Management Repository.
When you create or edit an Agent Registration Password on the Registration Passwords page, you can determine whether the password is persistent and available for multiple Management Agents or to be used only once or for a predefined period of time.
For example, if an administrator requests to install a Management Agent on a particular host, you can create a one-time-only password that the administrator can use to install and configure one Management Agent.
On the other hand, you can create a persistent password that an administrator can use for the next two weeks before it expires and the administrator must ask for a new password.
To add a new Agent Registration Password, use the following emctl
command on the machine on which the Management Service has been installed:
emctl secure setpwd [-sysman_pwd] [new registration pwd]
The emctl secure setpwd
command requires that you provide the password of the Enterprise Manager super administrator user, sysman
, to authorize the addition of the Agent Registration Password.
If you change the Agent Registration Password, you must communicate the new password to other Enterprise Manager administrators who need to install new Management Agents, enable Enterprise Manager Framework Security for existing Management Agents, or install additional Management Services.
As with other security passwords, you should change the Agent Registration Password on a regular and frequent basis to prevent it from becoming too widespread.
When you deploy a Management Service that is available behind a Server Load Balancer (SLB), special attention must be given to the DNS host name over which the Management Service will be available. Although the Management Service may run on a particular local host, for example myhost.mycompany.com
, your Management Agents will access the Management Service using the host name that has been assigned to the Server Load Balancer. For example, oracleoms.mycompany.com
.
As a result, when you enable Enterprise Manager Framework Security for the Management Service, it is important to ensure that the Server Load Balancer host name is embedded into the Certificate that the Management Service uses for SSL communications. To do so, enter the following commands:
This may be done by using emctl secure oms
and specifying the host name in the with an extra -host
parameter as follows:
Enable security on the Management Service by entering the following command:
emctl secure oms -host <slb_hostname> [-slb_console_port <slb UI port>] [-slb_port <slb upload port>] [other params]
Create virtual servers and pools on the Server Load Balancer.
Verify that the console can be accessed using the following URL:
https://slbhost:slb_console_port/em
Re-secure the Agents with Server Load Balancer by using the following command:
emctl secure agent -emdWalletSrcUrl <SLB Upload or UI URL>
For example:
Agent_Home/bin/emctl secure agent -emdWalletSrcUrl https://slbost:slb_upload_port/em https://slbost:slb_upload_port/em
This section describes how to enable Security for the Oracle Management Repository. This section includes the following topics:
About Oracle Advanced Security and the sqlnet.ora Configuration File
Configuring the Management Service to Connect to a Secure Management Repository Database
Enabling Oracle Advanced Security for the Management Repository
Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
You enable security for the Management Repository by using Oracle Advanced Security. Oracle Advanced Security ensures the security of data transferred to and from an Oracle database.
See Also:
Oracle Database Advanced Security Administrator's GuideTo enable Oracle Advanced Security for the Management Repository database, you must make modifications to the sqlnet.ora
configuration file. The sqlnet.ora
configuration file is used to define various database connection properties, including Oracle Advanced Security parameters.
The sqlnet.ora file is located in the following subdirectory of the Database home:
ORACLE_HOME/network/admin
After you have enabled Security for the Management Repository and the Management Services that communicate with the Management Repository, you must also configure Oracle Advanced Security for the Management Agent by modifying the sqlnet.ora
configuration file in the Management Agent home directory.
See Also:
"Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database"It is important that both the Management Service and the Management Repository are configured to use Oracle Advanced Security. Otherwise, errors will occur when the Management Service attempts to connect to the Management Repository. For example, the Management Service might receive the following error:
ORA-12645: Parameter does not exist
To correct this problem, be sure both the Management Service and the Management Repository are configured as described in the following sections.
If you have enabled Oracle Advanced Security for the Management Service database—or if you plan to enable Oracle Advanced Security for the Management Repository database—use the following procedure to enable Oracle Advanced Security for the Management Service:
Stop the Management Service:
ORACLE_HOME/bin/emctl stop oms
Set the emoms.properties
by using the emctl set property
command
Restart the Management Service.
ORACLE_HOME/bin/emctl start oms
Table 2-4 Oracle Advanced Security Properties in the Enterprise Manager Properties File
Property | Description |
---|---|
Defines whether or not Enterprise Manager will use encryption between Management Service and Management Repository.Possible values are TRUE and FALSE. The default value is TRUE.For example:
|
|
Defines the Management Service encryption requirement.Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.The default value is REQUESTED. In other words, if the database supports secure connections, then the Management Service uses secure connections, otherwise the Management Service uses insecure connections. For example:
|
|
Defines the different types of encryption algorithms the client supports.Possible values should be listed within parenthesis. The default value is For example:
|
|
Defines the Client's checksum requirements. Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED. The default value is REQUESTED. In other words, if the server supports checksum enabled connections, then the Management Service uses them, otherwise it uses normal connections. For example:
|
|
This property defines the different types of checksums algorithms the client supports. Possible values should be listed within parentheses. The default value is ( MD5 ). For example:
|
To be sure your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available in the Oracle Database documentation library.
See Also:
Oracle Database Advanced Security Administrator's GuideThe following instructions provide an example of how you can confirm that Oracle Advanced Security is enabled for your Management Repository database and its connections with the Management Service:
Locate the sqlnet.ora
configuration file in the following directory of the database Oracle Home:
ORACLE_HOME/network/admin
Using a text editor, look for the following entries (or similar entries) in the sqlnet.ora
file:
SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.CRYPTO_SEED = "abcdefg123456789"
See Also:
"Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server 10g Administrator's GuideSave your changes and exit the text editor.
After you have enabled Oracle Advanced Security for the Management Repository, you must also enable Advanced Security for the Management Agent that is monitoring the Management Repository:
Locate the sqlnet.ora
configuration file in the following directory inside the home directory for the Management Agent that is monitoring the Management Repository:
AGENT_HOME/network/admin (UNIX) AGENT_HOME\network\admin (Windows)
Using a text editor, add the following entry to the sqlnet.ora
configuration file:
SQLNET.CRYPTO_SEED = "abcdefg123456789"
The SQLNET.CRYPTO_SEED
can be any string between 10 to 70 characters.
See Also:
"Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server Administrator's GuideSave your changes and exit the text editor.
Restart the Management Agent.
You can configure third party certificates for:
HTTPS Upload Virtual Host
HTTPS Console Virtual Host
Note:
Only Single Sign-On wallets are supported.You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:
Method I
Create a wallet for each OMS in the grid.
While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.
Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt
.
Download or copy the trusted_certs.txt
file to the host machines on which each Agent that is communicating with the OMS is running.
Restart the Agent after running the add_trust_cert
command.
emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>
Secure the OMS and restart it.
emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
Method 2
Create a wallet for each OMS in the grid.
Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).
Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt
.
Restart the OMS after it has been secured.
emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
Either re-secure the Agent by running the emctl secure agent
command or import the trust points by running the emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>
command. The -trust_certs_loc
parameter must contain the path and the filename of the trusted_certs.txt
file. This file must only contain certificates in base64 format and no special characters or empty lines.
To configure the third party certificate for HTTPS WebTier Virtual Host:
Create a wallet for each OMS in the grid. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.
Run the following command on each OMS:
emctl secure console -wallet <location of wallet>
Note:
Only single-sign-on wallets are supported.The following topics are discussed in this section:
Credential Subsystem
Pluggable Authentication Modules (PAM) Support
Sudo and Powerbroker Support
Credentials like user names and passwords are typically required to access targets such as databases, application servers, and hosts. Credentials are encrypted and stored in Enterprise Manager. By using appropriate credentials, you can:
Collect metrics in the background as well as real-time
Perform jobs like backup, patching, cloning etc.
Perform real-time target administration like start, stop etc.
Connect to My Oracle Support
Based on their usage, credentials can be classified into the following categories:
Job Credentials: The job system uses the credential subsystem to retrieve the credentials required to submit a job on the targets. The administrator can define their preferred and default credentials in the preference section of EM console. The user can override the default credentials by specifying different credentials while submitting the job.
Note:
If the user chooses to use preferred credentials, these credentials will be used when the user submits the job. If the preferred credentials are not available, the default credentials will be used. If default credentials are not present, the job cannot be submitted.Monitoring Credentials: These credentials are used by the Management Agent to monitor certain types of targets. For example, most database monitoring involves connecting to the database, which requires a username, password, and optionally, a role. Monitoring credentials, if stored in the repository, can also be potentially used by management applications to connect directly to the target from the OMS.
Collection Credentials: These credentials are associated with user-defined metrics.
To simplify the usage and management of credentials, the following features are available in Enterprise Manager:
Preferred Credentials: Preferred credentials are used to simplify access to managed targets by storing target login credentials in the Management Repository. With preferred credentials set, users can access an Enterprise Manager target that recognizes those credentials without being prompted to log into the target. Preferred credentials are set on a per user basis, thus ensuring the security of the managed enterprise environment.
Default Credentials: Default credentials can be set for a particular target type and will be available for all the targets of the target type. It will be overridden by target preferred credentials.
Target Credentials: Target credentials are preferred credentials set for a particular target. They could be used by applications such as the job system, patch, etc. For example, if the user chooses to use preferred credentials while submitting a job, then the preferred credentials set for the target (target credentials) will be used. If the target credentials are not present, the default credentials (for the target type) will be used. If the default credentials are not present, the job will fail. If not specified, by default, preferred credentials refer to preferred target credentials"
For example, to set the host preferred credentials, click Preferences to navigate to the Preferences page. Click the Preferred Credentials link in the right panel. In the Preferred Credentials page, click the Set Credentials icon for the host. The Host and Cluster Preferred Credentials is displayed.
On this page, you can set both default and explicit preferred credentials for the host and cluster target types. For more details on setting preferred credentials, see the Enterprise Manager Online Help.
You can manage passwords using EMCLI verbs. Using EMCLI, you can:
Change the database user password in both the target database and Enterprise Manager.
emcli update_db_password -change_at_target=Yes|No -change_all_reference=Yes|No
Update a password which has already been changed at the host target.
emcli update_host_password -change_all_reference=Yes|No
Set preferred credentials for given users.
emcli set_credential -target_type="ttype" [-target_name="tname"] -credential_set="cred_set" [-user="user"] -columns="col1:newval1;col2:newval2;PDP:SUDO/POWERBROKER;RUNAS:oracle; PROFILE:user1..." [-input_file="tag1:file_path1;tag2:file_path2;..."] [-oracle_homes="home1;home2"] [-monitoring]
For detailed descriptions of these verbs, refer to Enterprise Manager Command Line Interface guide.
Pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme. By using PAM, instead of using the local password file to authenticate the user accessing the host, you can take advantage of other authentication mechanisms such as LDAP, RADIUS and Kerberors. If your host authentication is configured over PAM, the Management Agent needs to be configured accordingly to enable PAM Authentication. Refer to note 422073.1 for deployment details.
Note:
The local password file (usually/etc/passwd
) will be checked and used first. This should be synchronized with the LDAP password if it is being used. If this fails, the Management Agent will switch to the external authentication module.For users on RHEL4, the PAM file configuration is as follows:
#%PAM-1.0 auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
For more details, see https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-pam-format.html
For AIX users, use the edit/etc/pam.conf
file and add the following lines:
emagent auth required /usr/lib/security/pam_aix emagent account required /usr/lib/security/pam_aix emagent password required /usr/lib/security/pam_aix emagent session required /usr/lib/security/pam_aix
After editing the file, apply patch 5527130 and run root.sh
Privilege delegation allows a logged-in user to perform an activity with the privileges of another user. Sudo and PowerBroker are privilege delegation tools that allow a logged-in user to be assigned these privileges. Typically, the privileges that are granted to a specific user are administered centrally. For example, the sudo command can be used to run a script that requires root access:
sudo root root.sh
In the invocation of sudo in the example above, an administrator can use the sudo command to run a script as root provided he has been granted the appropriate privileges by the system administrator. Enterprise Manager preferred credentials allow you to use two types of privilege delegation tools: Sudo and PowerBroker. You can use EMCLI or the Manage Privilege Delegation Settings page to set/edit privilege delegation settings for a host. See the Enterprise Manager Command Line Interface guide for more information on using the command line.
Sudo: sudo allows a permitted user to execute a command as the super user or another user, as specified in the sudoers file. If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers). sudo determines who is an authorized user by consulting the file /etc/sudoers
file. For more information, see the manual page on sudo (man sudo) on Unix. Enterprise Manager authenticates the user using sudo, and executes the script as sudo. For example, if the command to be executed is foo -arg1 -arg2, it will be executed as sudo -S foo -arg1 -arg2.
PowerBroker: Symark PowerBroker enables UNIX system administrators to specify the circumstances under which other people may run certain programs such as root (or other important accounts). The result is that responsibility for such actions as adding user accounts, fixing line printer queues, and so on, can be safely assigned to the appropriate people, without disclosing the root password. The full power of root is thus protected from potential misuse or abuse-for example, modifying databases or file permissions, erasing disks, or more subtle damage. Symark PowerBroker can access existing programs as well as its own set of utilities that execute common system administration tasks. Utilities being developed to run on top of Symark PowerBroker can manage passwords, accounts, backups, line printers, file ownership or removal, rebooting, logging people out, killing their programs, deciding who can log in to where from where, and so on. They can also provide TCP/IP, Load Balancer, cron, NIS, NFS, FTP, rlogin, and accounting subsystem management. Users can work from within a restricted shell or editor to access certain programs or files as root. See your Sudo or PowerBroker documentation for detailed setup and configuration information.
Enterprise Manager allows you to create privilege delegation settings either by creating the setting directly on a host target, or by creating a PDP setting template that you can apply to multiple hosts.
To create a privilege delegation setting directly on a host:
Login to Enterprise Manager and navigate to the Setup page. Click Manage Privilege Delegation Settings on the left panel. The following screen is displayed:
For any host target appearing in the table, click Edit. Enterprise Manager takes you to the Host Privilege Delegation Setting page.
Select a privilege delegation type (Sudo or PowerBroker).
Enter the privilege delegation command to be used and, in the case of PowerBroker, the optional Password Prompt.
Click Update to apply the settings to the host. The following figure shows the Host Privilege Delegation Setting window that you can use to create a PowerBroker setting.
Once you have created a privilege delegation setting, you must apply this setting to selected targets. This setting can be applied to one more hosts or to a composite (Group) target (the group must contain at least one host target). You can apply a Privilege Delegation setting using the Grid Control console by clicking Setup on the Enterprise Manager Home page and then choosing Manage Privilege Delegation Settings from the left menu panel.
To protect the integrity of sensitive data in Enterprise Manager, a signing on verification method known as the emkey
is used. Encryption key is the master key that is used to encrypt/decrypt sensitive data, such as passwords and preferred credentials that are stored in the Repository. The key is originally in stored in repository. It is removed from repository and copied to the Credential Store during installation of the first OMS. (the emkey
is secured out-of-the-box). A backup is created in OMS_ORACLE_HOME/sysman/config/emkey.ora
. It is recommended to create a backup of this file on some other machine. When starting up, OMS reads the emkey
from Credential Store and repository. If the emkey
is not found or is corrupted, it fails to start. By storing the key separately from Enterprise Manager schema, we ensure that the sensitive data such as Preferred Credentials in the Repository remain inaccessible to the schema owner and other SYSDBA users (Privileged users who can perform maintenance tasks on the database) in the Repository. Moreover, keeping the key from the schema will ensure that sensitive data remain inaccessible while Repository backups are accessed. Further, the schema owner should not have access to the OMS/Repository Oracle homes.
The emkey
is an encryption key that is used to encrypt and decrypt sensitive data in Enterprise Manager such as host passwords, database passwords and others. By default, the emkey
is stored in the ORACLE_HOME/sysman/config/emkey.ora
file. The location of this file can be changed.
WARNING:
If the emkey.ora
file is lost or corrupted, all the encrypted data in the Management Repository becomes unusable. Maintain a backup copy of this file on another system.
During startup, the Oracle Management Service checks the status of the emkey
. If the emkey
has been properly configured, it uses it encrypting and decrypting data. If the emkey has not been configured properly, the following error message is displayed.
Example 2-12 emctl start oms Command
Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. emctl start omsStarting HTTP Server ...Starting Oracle Management Server ...Checking Oracle Management Server Status ...Oracle Management Server is not functioning because of the following reason:The Em Key is not configured properly. Run "emctl status emkey" for more details.
The emctl
commands related to emkey
are given below:
emctl status emkey [-sysman_pwd <pwd>]
emctl config emkey -copy_to_credstore [-sysman_pwd <pwd>]
emctl config emkey -copy_to_repos [-sysman_pwd <pwd>]
emctl config emkey -remove_from_repos [-sysman_pwd <pwd>]
emctl config emkey -copy_to_file_from_credstore -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file>
emctl config emkey -copy_to_file_from_repos (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>
emctl config emkey -copy_to_credstore_from_file -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file>
emctl config emkey -copy_to_repos_from_file (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>
This command shows the health or status of the emkey
. Depending on the status of the emkey
, the following messages are displayed:
When the emkey
has been correctly configured in the Credential Store, the following message is displayed.
When the emkey
has been correctly configured in the Credential Store and has been removed from the Management Repository, the following message is displayed.
Example 2-14 emctl status emkey - Example 2
Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey exists in the Management Repository, but is not configured properly or is corrupted in the credential store. Configure the EMKey by running "emctl config emkey -copy_to_credstore".
When the emkey
is corrupted in the Credential Store and removed from the Management Repository, the following message is displayed.
Example 2-15 emctl status emkey - Example 3
Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey is not configured properly or is corrupted in the credential store and does not exist in the Management Repository. To correct the problem:1) Get the backed up emkey.ora file. 2) Configure the emkey by running "emctl config emkey -copy_to_credstore_from_file"
This command copies the emkey from the Management Repository to the Credential Store.
Example 2-16 Sample Output of the emctl config emkey -copy_to_credstore Command
emctl config emkey -copy_to_credstore [-sysman_pwd <pwd>] Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey has been copied to the Credential Store.
This command copies the emkey
from the Credential Store to Management Repository.
Example 2-17 Sample Output of the emctl config emkey -copy_to_repos Command
emctl config emkey -copy_to_repos [-sysman_pwd <pwd>]Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved.The EMKey has been copied to the Management Repository. This operation will cause the EMKey to become unsecure.After the required operation has been completed, secure the EMKey by running "emctl config emkey -remove_from_repos".
This command copies the emkey from the Credential Store to a specified file.
Example 2-18 Sample Output of the emctl config emkey -copy_to_file_from_credstore Command
emctl config emkey -copy_to_file_from_credstore -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file> Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey has been copied to file.
This command copies the emkey from the Management Repository to a specified file.
Example 2-19 Sample Output of the emctl config emkey -copy_to_file_from_repos Command
emctl config emkey -copy_to_file_from_repos (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved.The EMKey has been copied to file.
This command copies the emkey from a specified file to the Credential Store.
Example 2-20 Sample Output of the emctl config emkey -copy_to_credstore_from_file Command
emctl config emkey -copy_to_credstore_from_file -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file> Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey has been copied to the Credential Store.
This command copies the emkey from a specified file to the repository.
Example 2-21 Sample Output of the emctl config emkey -copy_to_repos_from_file Command
emctl config emkey -copy_to_repos_from_file (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file> Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey has been copied to the Management Repository. This operation will cause the EMKey to become unsecure. After the required operation has been completed, secure the EMKey by running "emctl config emkey -remove_from_repos".
This command removes the emkey from the repository.
Example 2-22 Sample Output of emctl config emkey -remove_from_repos Command
emctl config emkey -remove_from_repos [-sysman_pwd <pwd>] Oracle Enterprise Manager 11g Release 1 Grid Control Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. The EMKey has been removed from the Management Repository.
Note:
If the emkey is corrupted, you cannot remove it from the Management Repository.This section explains the install and upgrade scenarios for emkey.
A new emkey is generated as a strong random number when the Management Repository is installed.
When the Oracle Management Service is installed, the Installer copies the emkey to Credential Store and removes it from repository (emkey is secured out-of-box).
The Management Repository is upgraded as usual. When upgrading the OMS, the omsca
(OMS Configuration Assistant) copies the emkey to Credential Store and removes from repository. If the emkey is already secured before upgrade or has been removed from repository, then omsca
reads the emkey from emkey.ora file present in old OMS Oracle Home and copies it to Credential Store.
Note:
After all the Oracle Management Service have been upgraded, you can secure the emkey, that is, remove it from the Management Repository by running the following command:emctl config emkey -remove_from_repos
When the Management Repository is recreated, a new emkey is generated. This new key will not be in synchronization with the existing emkey Credential Store.
Copy the new emkey to Credential Store by using the emctl config emkey -copy_to_credstore
command.
Take a backup by entering the emctl config emkey -copy_to_file_from_repos
command or the emctl config emkey -copy_to_file_from_credstore
command.
Secure the emkey by using the emctl config emkey -remove_from_repos
command.
All operations performed by Enterprise Manager users such as creating users, granting privileges, starting a remote job like patching or cloning, need to be audited to ensure compliance with the Sarbanes-Oxley Act of 2002 (SAS 70). This act defines standards an auditor must use to assess the contracted internal controls of a service organization. Auditing an operation enables an administrator to monitor, detect, and investigate problems and enforce enterprise wide security policies.
Irrespective of how the user has logged into Enterprise Manager, if auditing is enabled, each user action is audited and the audit details are stored in a record.
You can configure the Enterprise Manager Audit System by using the following emcli commands:
enable_audit
: Enables auditing for all user operations.
disable_audit
: Disables auditing for all user operations.
show_operations_list
: Shows a list of the user operations being audited.
show_audit_settings
: Shows the audit status, operation list, externalization service details, and purge period details.
Audit data needs to be protected and maintained for several years. The volume of audit data may become very large and impact the performance of the system. To limit the amount of data stored in the repository, the audit data must be externalized or archived at regular intervals. The archived audit data is stored in an XML file complying with the ODL format. To externalize the audit data, the EM_AUDIT_EXTERNALIZATION
API is used. Records of the format <file-prefix>.NNNNN.xml, where NNNN is a number are generated. The numbers start with 00001 and continue to 99999.
You can set up the audit externalization service for exporting audit data into the file system by using the update_audit_setting -externalization_switch
command.
The update_audit_settings
command updates the current audit settings in the repository and restarts the Management Service.
Example 2-23 Usage of the update_audit_setting command
emcli update_audit_settings -audit_switch="ENABLE/DISABLE" -operations_to_enable="name of the operations to enable, for all oprtations use ALL" -operations_to_disable="name of the operations to disable, for all oprtations use ALL" -externalization_switch="ENABLE/DISABLE" -directory_name="directory_name (DB Directory)" -file_prefix="file_prefix" -file_size="file_size (Bytes)" -data_retention_period="data_retention_period (Days)"
-audit_switch
: Enables auditing across Enterprise Manager. The possible values are ENABLE/DISABLE
. Default value is DISABLE
.
-operations_to_disable
: Enables auditing for specified operations. Enter All to enable all operations.
-operations_to_disable
: Disables auditing for specified operations. Enter All to disable all operations.
-externalization_switch
: Enables the audit data export service. The possible values are ENABLE/DISABLE
. Default value is DISABLE
.
-directory
: The database directory that is mapped to the OS directory where the export service archives the audit data files.
-file_prefix
: The file prefix to be used by the export service to create the file in which audit data is to be stored.
-file_size
: The size of the file on which the audit data is to be stored. The default value is 5000000 bytes.
data_retention_period
: The period for which the audit data is to be retained inside the repository. The default value is 365 days.
You can search for audit data that has been generated over a specified period. You can also search for the following:
Audit details of a specific user operation or all user operations.
Audit details of operations with a Success or Failure status or All operations.
To view the audit data, click the Setup option. On the Setup page, click the Management Services and Repository tab. The Overview page is displayed. Click the Audit Data link under the Audit section. The Audit Data page is displayed. Specify the search criteria in the fields and click Go. The results are displayed in the Summary table.
To view the details of each record that meets the search criteria, select Detailed in the View drop-down list. To drill down to the full record details, click on the Timestamp. The Audit Record page is displayed.
Field Name | Description |
---|---|
General | |
Operation Timestamp | The date and time on which the operation took place. |
Administrator | The id of the administrator who has logged into Enterprise Manager. |
Operation | The type of operation being audited. |
Status | The status of the operation which can be success or failure. |
Message | A descriptive message indicating the status of the operation. |
Normalized Timestamp | This is the UTC timestamp. |
Client Information | |
Session | This can either be the HTTP Session ID or the DBMS Session ID. |
IP Address | The IP address of the client's host machine. |
Hostname | The name of the client's host machine. |
Upstream Component Type | The type of client, Console, Web Service, EMCLI, being used. |
Authentication Type | The nature of the session (HTTP Session, DB Session). |
Upstream Component Name | The name of the client being used. |
OMS Information | |
Hostname | The host name of the Oracle Management Service. |
IP Address | The IP address of the Oracle Management Service. |
Instance ID | The Instance ID of the Oracle Management Service. |
Operation Specific Information | |
Object Name | The operation being performed on an object |
The following table lists the names of operation and their description.
Table 2-5 List of Operations Audited
Operation Name | Description |
---|---|
change_password |
Change Password |
create_user |
Create User |
delete_user |
Delete User |
logon |
Login |
logoff |
Logout |
grant_role |
Grant Role |
grant_target_priv |
Grant Target Privilege |
revoke_role |
Revoke Role |
revoke_target_priv |
Revoke Target Privilege |
submit_job |
Submit Job |
edit_job |
Edit Job |
delete_job |
Delete Job |
change_pref_cred |
Change Preferred Credential |
modify_user |
Modify User |
grant_system_priv |
Grant System Privilege |
grant_job_priv |
Grant Job Privilege |
revoke_system_priv |
Revoke System Privilege |
revoke_job_priv |
Revoke Job Privilege |
remote_op |
Remote Operation Job |
get_file |
Get File |
put_file |
Put File |
file_transfer |
File Transfer |
create_role |
Create Role |
delete_role |
Delete Role |
modify_role |
Modify Role |
job_output |
Job Output |
suspend_job |
Suspend Job |
agent_resync |
Agent Re synchronization Operation |
repository_resync |
Repository Re synchronization Operation |
remove_privilege_delegation_setting |
Remove Privilege Delegation Setting |
set_privilege_delegation_setting |
Set Privilege Delegation Setting |
add_agent_registration_password |
Add Registration Password |
edit_agent_registration_password |
Edit Registration Password |
delete_agent_registration_password |
Delete Registration Password |
agent_registration_password_usage |
Registration Password Usage |
audit_settings |
Enable or Disable Auditing |
audit_export_settings |
Externalize Audit Data Settings |
create_template |
Create Template |
edit_template |
Edit Template |
delete_template |
Delete Template |
apply_template |
Apply Template |
save_monitoring_settings |
Save Monitoring Settings |
modify_metric_settings |
Modify Metric Settings |
modify_policy_settings |
Modify Policy Settings |
create_udp |
Create User Defined Policy |
edit_udp |
Edit User Defined Policy |
delete_udp |
Delete User Defined Policy |
evaluate_udp |
Evaluate User Defined Policy |
import_udp |
Import User Defined Policy |
create_udpg |
Create User Defined Policy Group |
edit_udpg |
Edit User Defined Policy Group |
delete_udpg |
Delete User Defined Policy Group |
delete_pg_eval |
Delete Policy Group Evaluation Results |
create_pg_sched |
Create Policy Group Schedule |
edit_pg_sched |
Edit Policy Group Schedule |
delete_pg_sched |
Delete Policy Group Schedule |
db_login |
Audit Database User Login |
db_logout |
Audit Database User Logout |
db_start |
Audit Database Startup |
db_shutdown |
Audit Database Shutdown |
db_restart |
Audit Database Restart |
After you enable security for the Enterprise Manager components and framework, there are additional security considerations. This section provides the following topics:
This section describes the commands used to change the SYSMAN and MGMT_VIEW passwords.
To change the password of the SYSMAN
user, enter the following command:
emctl config oms -change_repos_pwd [-change_in_db] [-old_pwd <old_pwd>] [-new_pwd <new_pwd>] [-use_sys_pwd [-sys_pwd <sys_pwd>]]
You must run this command on each Management Service in your environment.
Parameter | Description |
---|---|
-change_in_db |
This parameter is optional and is used to change the SYSMAN password in the repository. If there are multiple Management Services running, this parameter must be set to true for at least one Management service.
If this parameter is not specified, the emoms.properties file will be updated with the new SYSMAN password. |
-old_pwd |
This is the current SYSMAN password. |
-new_pwd |
This is the new password. |
-use_sys_pwd |
This parameter is optional and is used to connect to the database as a SYS user. |
-sys_pwd |
This is the password for the SYS user. |
To change the password of the MGMT_VIEW
user, enter the following command:
emctl config oms -change_view_user_pwd [-sysman_pwd <sysman_pwd>] [-user_pwd <user_pwd>] [-auto_generate]
Parameter | Description |
---|---|
-sysman_pwd |
The password for the SYSMAN user. |
-user_pwd |
The new password for theMGMT_VIEW user.This is an optional parameter and if it is not specified, the password is auto generated. |
-auto_generate |
If this option is specified, the password is auto generated. |
This section describes how to respond to browser-specific security alert dialog boxes when you are using Enterprise Manager in a secure environment.
The security alert dialog boxes described in this section should appear only if you have enabled Enterprise Manager Framework Security, but you have not completed the more extensive procedures to secure your WebTier properly.
This section contains the following topics:
Responding to the Internet Explorer Security Alert Dialog Box
Responding to the Netscape Navigator New Site Certificate Dialog Box
Preventing the Display of the Internet Explorer Security Information Dialog Box
If you enable security for the Management Service, but do not enable the more extensive security features of your WebTier, you will likely receive a Security Alert dialog box similar to the one shown in Figure 2-15 when you first attempt to display the Grid Control Console using the HTTPS URL in Internet Explorer.
Note:
The instructions in this section apply to Internet Explorer 5.5. The instructions may vary for other supported browsers.Figure 2-15 Internet Explorer Security Alert Dialog Box
When Internet Explorer displays the Security Alert dialog box, use the following instructions to install the certificate and avoid viewing this dialog box again in future Enterprise Manager sessions:
In the Security Alert dialog box, click View Certificate.
Click the Certificate Path tab and select the first entry in the list of certificates as shown in Figure 2-16.
Click View Certificate to display a second Certificate dialog box.
Click Install Certificate to display the Certificate Import wizard.
Accept the default settings in the wizard, click Finish when you are done, and then click Yes in the Root Certificate Store dialog box.
Internet Explorer displays a message box indicating that the Certificate was imported successfully.
Click OK to close each of the security dialog boxes and click Yes on the Security Alert dialog box to continue with your browser session.
You should no longer receive the Security Alert dialog box in any future connections to Enterprise Manager when you use this browser.
Figure 2-16 Certificate Path Tab on the Internet Explorer Certificate Dialog Box
If you enable security for the Management Service, but you do not enable the more extensive security features of your WebTier, you will likely receive a New Site Certificate dialog box similar to the one shown in Figure 2-17 when you first attempt to display the Grid Control Console using the HTTPS URL in Netscape Navigator.
Note:
The instructions in this section apply to Netscape Navigator 4.79. The instructions may vary for other supported browsers.When Netscape Navigator displays the New Site Certificate dialog box, use the following instructions to install the certificate and avoid viewing this dialog box again in future Enterprise Manager sessions:
Review the instructions and information on each wizard page; click Next until you are prompted to accept the certificate.
Select Accept this certificate forever (until it expires) from the list of options.
On the last screen of the wizard, click Finish to close the wizard and continue with your browser session.
You should no longer receive the New Site Certificate dialog box when using the current browser.
Figure 2-17 Netscape Navigator New Site Certificate Dialog Box
After you enable Security for the Management Service, you may receive a dialog box similar to the one shown in Figure 2-18 whenever you access certain Enterprise Manager pages.
Note:
The instructions in this section apply to Internet Explorer 6.0. The instructions may vary for other supported browsers.Figure 2-18 Internet Explorer Security Information Dialog Box
To stop this dialog box from displaying:
Select Internet Options from the Internet Explorer Tools menu.
Click the Security tab.
Select Internet and then click Custom Level.
Internet Explorer displays the Security Settings dialog box.
Scroll down to Miscellaneous settings and enable the Display Mixed Content option.
Oracle Beacons provide application performance availability and performance monitoring. They are part of the Application Service Level Management features of Enterprise Manager.
See Also:
"About Application Service Level Management" in the Enterprise Manager Online HelpWhen a Beacon is used to monitor a URL over Secure Sockets Layer (SSL) using an HTTPS URL, the Beacon must be configured to recognize the Certificate Authority that has been used by the Web site where that URL resides.
See Also:
"The Public Key Infrastructure Approach to Security" in the Oracle Security Overview for an overview of Public Key Infrastructure features, such as Certificate AuthoritiesThe Beacon software is preconfigured to recognize most commercial Certificate Authorities that are likely to be used by a secure Internet Web Site. However, you may encounter Web Sites that, although available over HTTPS, do not have a Certificate that has been signed by a commercial Certificate Authority recognized by the Beacon. The following are out-of-box certificates recognized by Beacons:
Class 1 Public Primary Certification Authority by VeriSign, Inc.
Class 2 Public Primary Certification Authority by VeriSign, Inc.
Class 3 Public Primary Certification Authority by VeriSign, Inc.
Secure Server Certification Authority by RSA Data Security, Inc.
GTE CyberTrust Root by GTE Corporation
GTE CyberTrust Global Root by GTE CyberTrust Solutions, Inc.
Entrust.net Secure Server Certification Authority by Entrust.net ((c) 1999
Entrust.net Limited, www.entrust.net/CPS incorp. by ref. (limits liab.))
Entrust.net Certification Authority (2048) by Entrust.net ((c) 1999
Entrust.net Limited, www.entrust.net/CPS_2048 incorp. by ref. (limits liab.))
Entrust.net Secure Server Certification Authority by Entrust.net ((c) 2000
Entrust.net Limited, www.entrust.net/SSL_CPS incorp. by ref. (limits liab.))
In those cases, for example, if you attempt to use the Test section of the Beacon Performance page to test the HTTP Response of the secure URL, the following error appears in the Status Description column of the Response Metrics table on the URL Test Page:
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr--https://mgmtsys.acme.com/OracleMyPage.Home
See Also:
"Using Beacons to Monitor Remote URL Availability" in the Enterprise Manager online helpTo correct this problem, you must allow the Beacon to recognize the Certificate Authority that was used by the Web Site to support HTTPS. You must add the Certificate of that Certificate Authority to the list of Certificate Authorities recognized by Beacon.
To configure the Beacon to recognize the Certificate Authority:
Obtain the Certificate of the Web Site's Certificate Authority, as follows:
In Microsoft Internet Explorer, connect to the HTTPS URL of the Web Site you are attempting to monitor.
Double-click the lock icon at the bottom of the browser screen, which indicates that you have connected to a secure Web site.
The browser displays the Certificate dialog box, which describes the Certificate used for this Web site. Other browsers offer a similar mechanism to view the Certificate detail of a Web Site.
Click the Certificate Path tab and select the first entry in the list of certificates as shown in Figure 2-16.
Click View Certificate to display a second Certificate dialog box.
Click the Details tab on the Certificate window.
Click Copy to File to display the Certificate Manager Export wizard.
In the Certificate Manager Export wizard, select Base64 encoded X.509 (.CER) as the format you want to export and save the certificate to a text file with an easily-identifiable name, such as beacon_certificate.cer
.
Open the certificate file using a text editor.
The content of the certificate file will look similar to the content shown in .
Update the list of Beacon Certificate Authorities as follows:
Locate the b64InternetCertificate.txt
file in the following directory of Agent Home of the Beacon host:
agent_home/sysman/config/
This file contains a list of Base64 Certificates.
Edit the b64InternetCertificate.txt
file and add the contents of the Certificate file you just exported to the end of the file, taking care to include all the Base64 text of the Certificate including the BEGIN and END lines.
Restart the Management Agent.
After you restart the Management Agent, the Beacon detects your addition to the list of Certificate Authorities recognized by Beacon and you can successfully monitor the availability and performance of the secure Web site URL.
Oracle Enterprise Manager 11g Release 1 introduces the concept of ORACLE_HOME
credentials to designate the owner of the ORACLE_HOME
with special credentials for the ORACLE_HOME
. The operating system user who installs the software will also need to perform the patching. In Oracle Enterprise Manager 11g Release 1, one can explicitly set the ORACLE_HOME
credentials and store it in the Management Repository. While patching, the user can use existing operating system credentials or override it under special circumstances. The user can specify ORACLE_HOME
credentials and in the same interface choose to store it in the Management Repository for future use.
The Enterprise Manager Command line interface (EMCLI
) also provides a facility to set ORACLE_HOME
credentials. This is useful in cases where the Super Administrator sets the credentials and the user who initiates the patching job is unaware of the actual credentials. For auditing in security-hardened data centers, the owner of the software is usually different from the user who initiates the patching job. The patching application internally switches the user context to the owner of the software and patches the software. To emulate such a case, the patch administrator will set the ORACLE_HOME
credentials to the owner of the ORACLE_HOME
. The Grid Control user who executes the patching job will be unaware of the credentials. The patching job will internally execute as the owner of the ORACLE_HOME
. Grid Control will audit the patching job and capture the name of the Grid Control user who initiated the job. For example, if the owner of the ORACLE_HOME
is "X
", the patch super administrator in Grid Control is "Y
" and the target administrator in Grid Control is "Y
". "Y
" will set the ORACLE_HOME
credential to "X
" with the password, using EMCLI. "Z
" will submit the patching job using the already stored preferred credentials. Grid Control will audit the job as submitted by "Z
".
The following is an example for setting the Oracle Home credentials using command line:
emcli set_credential -target_type=host -target_name=val1 -credential_set=OHCreds -column="OHUsername:val2;OHPassword:val3" -oracle_homes="val4"
where:
val1 = Hostname
val2 = Oracle Home user name
val3 = Oracle Home password
val4 = Oracle Home location
You can also set credentials for multiple Oracle Homes on the same host using the following command:
emcli set_credential -target_type=host -target_name=val1 -credential_set=OHCreds -column="OHUsername:val2;OHPassword:val3" -oracle_homes="val4;val5
where
val1 = Hostname
val2 = Oracle Home user name
val3 = Oracle Home password
val4 = Oracle Home location 1
val5 = Oracle Home location 2
Note:
Only one host can be passed to the verb.* If one wants multiple Oracle Home credentials on multiple hosts, then you will need Shell or Perl script to read lines, one at a time, from a file containing the host, credential values, and home location, and call the emcli set_credential verb for each row in the file.The emcli set_credential
command sets preferred credentials for given users. The following table describes the input values to the emcli set_credential
command.
Table 2-6 emcli set_credential Parameters
Parameter | Input Value | Description |
---|---|---|
-target_type |
-target_type ="ttype" |
Type of target. Must be "host" in case the "-oracle_homes" parameter is specified. |
-target_name |
[-target_name="tname"] |
Name of target. Omit this argument to set enterprise preferred credentials. Must be hostname in case "-oracle_homes" parameter is specified |
-credential_set |
-credential_set="cred_set" |
Credential set affected. |
-user |
[-user="user"] |
Enterprise Manager user whose credentials are affected. If omitted, the current user's credentials are affected. |
-columns |
-columns="col1:newval1;col2:newval2;..." |
The name and new value of the column(s) to set. Every column of the credential set must be specified. Alternatively, a tag from the -input_file argument may be used so that the credential values are not seen on the command line. This argument may be specified more than once. |
-input_file |
[-input_file="tag1:file_path1;tag2:file_path2;..."] |
Path of file that has -columns argument(s). This option is used to hide passwords. Each path must be accompanied by a tag which is referenced in the -columns argument. This argument may be specified more than once. |
-oracle_homes |
[-oracle_homes="home1;home2"] |
Name of Oracle Homes on the target host. Credentials will be added/updated for all specified home |
To patch an Oracle Home used by a user "Oracle" and the user is locked:
Edit the default patching script and prepend sudo or sudo -u or pbrun -u to the default patching step. You need to set a policy (by editing the sudoers file) to allow the user submitting the job (who must be a valid operating system user) to be able to run sudo or pbrun without being prompted for password.
Note:
You cannot patch Oracle Homes without targets. This must be done by using the Patching wizard.The cloning application is wizard-driven. The source of the Oracle Home being cloned may be either an installed Oracle Home or a Software Library. Following are the steps in the cloning process:
If the source is an installed Oracle Home, then, after selecting the Oracle Home, a user will need to specify the Oracle Home credentials. These credentials once specified for an Oracle Home are stored in the repository. The next time a user clones the same Oracle Home, these credentials are automatically populated. Other parameters queried from the user at this point is a temporary location (on the source computer) and the list of files to be excluded from the Oracle Home. If the cloning source is a Software Library, the source Oracle Home credentials will not be queried for.
The user needs to specify the target location and provide the required credentials for each target location. These credentials will be the Oracle Home credentials for each of these target locations. Subsequently, if a user selects any of these cloned Oracle Homes as a source, the Oracle Home credentials are automatically populated.
Depending on the product being cloned, the user can view the Enterprise Manager page where query parameters required for the particular product being cloned are displayed.
The user can, then, view the execution of user-supplied pre-cloning and post-cloning scripts and the root.sh script. The root.sh script will always be run with sudo privileges, but the user has the option to decide if the pre-cloning and post-cloning scripts run with sudo privileges.Finally, the user can schedule the cloning job at a convenient time.
For more information about cloning, refer to the Enterprise Manager Online Help.