3 Security Features

Enterprise Manager Ops Center provides security services for user authentication, custom user authorization, and protection for data in repositories and during network transmissions. Enterprise Manager Ops Center also provides network authentication between its infrastructure components using standard certificates.

Enterprise Manager Ops Center uses standard protocols and third-party solutions to secure data and operations, using SSL and X.509v3 certificates, and secure HTTP and PAM (Pluggable Authentication Modules) protocols to provide the following services:

Configuring and Using Authentication

Authentication allows a system to verify the identity of users and other systems that request access to services or data. In a multitier application, the entity or caller can be a human user, a business application, a host, or one entity acting on behalf of another entity.

Identity Management

Users log in to the browser interface to use the product. The credentials must be valid user IDs for the underlying operating system and must have been added to Enterprise Manager Ops Center.

The operating system stores all user accounts and manages them. Enterprise Manager Ops Center uses Pluggable Authentication Modules (PAM) to validate credentials for user accounts of users who log into the browser interface. The default PAM service allows Enterprise Manager Ops Center users to log into the system in the standard way.

The PAM service is set by the pam-service-name configuration parameter for the oem-ec instance of the cacao daemon.

  • Oracle Solaris: The default value is pam-service-name=other

  • Linux: The default value is pam-service-name=passwd

If you require control of the PAM configuration used by Enterprise Manager Ops Center, you can create a PAM service with a different service name, which uses different PAM modules.

To see the current value of the pam-service-name parameter, use the following cacaoadm command:

./cacaoadm get-param -i oem-ec pam-service-name

To change the authentication service from the operating system's default to a different service name, use the following procedure:

  1. On a Linux system, create a configuration file or edit the existing configuration file for the service to use. The configuration file has the same name as the service.

    /etc/pam.d/filename
    

    On an Oracle Solaris 10 system, edit the following file:

    /etc/pam.conf
    
  2. Change the contents of the configuration file. For example:

    auth       required     pam_warn.so debug
    auth       required     pam_safeword.so.1 debug
    account    include      system-auth
    password   include      system-auth
    
  3. To initialize the PAM service with the new configuration, stop the Enterprise Controller:

    /opt/sun/xvmoc/bin/satadm stop
    
  4. Change the value of the pam-service-name parameter

    ./cacaoadm set-param -i oem-ec pam-service-name=opscenter
    
  5. Verify the change:

    ./cacaoadm get-param -i oem-ec pam-service-name
    
  6. Restart the Enterprise Controller:

    /opt/sun/xvmoc/bin/satadm start
    

Note:

If you use the SafeNet SafeWord® Agent for PAM software (pam_safeword.so), you can use the SafeWord static password mode or single-use dynamic password mode, but you cannot use the dynamic challenge password mode. To use single-use dynamic passwords, you must modify the pam_safeword.cfg file to ensure that the User ID source is set to SYSTEM and not USER. The SYSTEM setting causes the authentication process to get the User ID from the /etc/passwd file.

Credential Management

Enterprise Manager Ops Center uses credentials to discover and manage assets and to establish trust between internal components. Passwords are protected by encryption if stored or transmitted over the network. Enterprise Manager Ops Center manages the following credentials:

  • SSH credentials for managed Operating System instances and hardware service processors.

  • IPMI credentials for hardware service processors

Enterprise Manager Ops Center requires administrative privileges for a system to discover and manage the system. To discover a system, Enterprise Manager Ops Center also requires remote network access to the system. This can be done either by using a privileged account or by combining the credentials of a non-privileged user account with the credentials for the administrative account. In this case, Enterprise Manager Ops Center uses the non-privileged user account to connect to the system and then uses the administrative account to inquire about the characteristics of the system.

To discover an ILOM system, the account must have administrator privileges on the system, and both IPMI and ssh credentials must be provided.

Note:

IPMI communications from the Proxy Controller to the ILOM system are not encrypted. Protect the transmissions by isolating the ILOM system and the Proxy Controller it uses within your private administrative network.

Enterprise Manager Ops Center does not provide certificates signed by a Certificate Authority such as Verisign because an authority's certificates require the domain where the certificate will be used to be specified. The Web server of the Enterprise Controller runs in the domain where the customer installs the software.

Enterprise Manager Ops Center has self-signed certificates that it uses for authentication between the web container and the browser client. Because the domain name is specific to your installation, the Enterprise Manager Ops Center software cannot be delivered with a generated signed certificate from a certificate authority. See Substitute Certificates for instructions in replacing the self-signed certificate with a certificate from a Certificate Authority.

In Connected mode, the Enterprise Manager Ops Center software requires the user to provide one or more sets of My Oracle Support credentials. These credentials are used to authenticate and authorize downloading product updates, creating Service Requests, and retrieving warranty information, in addition to the initial authentication between the Enterprise Controller's system and My Oracle Support.

Configuring and Using Authorization

Authorization allows a system to determine the privileges which users and other systems have for accessing resources on that system.

Roles grant users the ability to use the different functions of Oracle Enterprise Manager Ops Center. By giving a role to a user, an administrator can control what functions are available to that user and for which groups of assets.

An Enterprise Controller Admin can grant users different roles for the Enterprise Controller, the All Assets group, and any user-defined groups. A user who is assigned a role for a group receives the same role for all subgroups. See Follow the Principle of Least Privilege for a list of the available roles and their functions.

Caution:

A user with Provision and Admin permissions is able to apply an operational profile to a managed system using root access. Take care when assigning Provision or Admin roles because the role also allows the user to use an operational profile to run scripts.

Configuring and Using Access Control

Access control allows a system to grant access to resources only in ways that are consistent with security policies defined for those resources.

The Enterprise Controller connects to the Internet to download OS updates, Oracle Solaris images, and updates for the Enterprise Manager Ops Center software itself. When an update is requested, the Enterprise Controller retrieves the software from the KB or vendor site. This mode of operation is called Connected mode. If a site security policy does not allow Internet connections, Enterprise Manager Ops Center can operate in Disconnected mode.

In Disconnected mode, you must manually load the Knowledge Base data and updates to the Enterprise Controller so that provisioning tasks can be fulfilled. For the Oracle Solaris operating system, Enterprise Manager Ops Center provides a script to run on a system that is connected to the Internet to obtain the baselines and updates. You then transfer the baselines and updates to the Enterprise Controller. In effect, you create a static KB on the Enterprise Controller that you must maintain. For all other supported operating systems and firmware, obtain the software in a media format, such as a CD or DVD, and upload the information to Local Content library in Enterprise Manager Ops Center.

Configuring and Using Data Protection

NFS protocol requires agreement on the Domain Name System (DNS) that the NFS server and NFS clients use. The server and a client must agree on the identity of the authorized users accessing the share.

The Enterprise Manager Ops Center software prepares an NFS client to mount the share. Use the following procedure to prepare the NFS server:

To Set Up a Share on the NFS Server

  1. Create the directory to share, and set its ownership and permission modes. For example:

    # mkdir -p /export/lib/libX
    # chmod 777 /export/lib/libX
    
  2. Open the /etc/dfs/dfstab file on the NFS server.

  3. Add an entry to share the directory. For example, to share the directory named /export/lib/libX, create the following entry:

    share -F nfs -o rw,"Share 0" /export/lib/libX
    

    If you want the NFS share to be accessible from other network domains, use the rw option to specify a list of allowed domains:

    share -F nfs -o rw=IPaddress1,IPaddress2 "Share 0" export/lib/libX
    
  4. Share the directory and then verify that the directory is shared. For example:

    # shareall
    # share
    export/lib/libX   rw, "Share 0"
    

    The share now allows a root user on the NFS clients to have write privileges.