16 Defining Credentials

As part of the target type definition, you can define the types of credentials specific to the plug-in target type. For example, you can define the username and password required by the plug-in to connect to a target instance to collect metric data, or to invoke a specific Enterprise Manager job.

The Enterprise Manager credential subsystem enables Enterprise Manager administrators to store credentials in a secure manner as preferences or operation credentials. The credentials can then be used to perform various system management activities such as real-time monitoring, patching, provisioning, and other target administrative operations.

In this release, the credential subsystem supports storing, accessing, and modifying of fixed number user name/password based credentials as preferred credentials, which other Enterprise Manager subsystems access to build automation solutions. The credential subsystem also supports sudo/powerbroker based impersonation support.

This chapter covers the following:

16.1 Introduction to Security Concepts

The following sections describe the concepts associated with credential service integration:

16.1.1 Understanding Credential Types

Credential type is the type of authentication supported by a target type. For example, a host can support a user name and password based authentication, public key authentication, or kerberos authentication. Various authentication schemes are supported, including native agent authentication and SSH.

The native agent authentication scheme employs a user name and password structure, while the SSH key authentication scheme uses a user name/private key/public key structure.

16.1.2 About Named Credentials

A named credential contains a users' authentication information on a system. A named credential can be a user name and password, a public key-private key pair, or an X509v3 certificate. An Enterprise Manager administrator can store these credentials as named entities in Enterprise Manager to use when performing operations such as running jobs, patching, and other system management tasks. For example, you can store the user name and password that you want to use for patching as MyPatchingCreds. You can then later submit a patching job that uses MyPatchingCreds to patch the production databases.

Named credentials can be created for the credential types in Enterprise Manager 12c. The most commonly used credential types for host and database target types are described in the following sections.

For more information about named credentials, see the "Configuring and Using Target Credentials" section in the Oracle Enterprise Manager Cloud Control Security Guide, available at the following location:


16.1.3 Authenticating Target Types

The authenticating target type is the target type that a credential can authenticate against. For example, a SQLScript job has the host credential DBHostCreds that is used to authenticate against the database host. Therefore, the target type for DBHostCreds is Database Instance and the authenticating target type is Host.

16.1.4 Overview of Credential Sets

A credential set is a placeholder for a credential. Credential sets can be used to decouple credentials from a system that uses a credential. For example, a patching job can be submitted to use the credential set "Normal Host Credentials" while being executed.

The "Normal Host Credentials" credential set can also be set to the actual named credential. The credential set to named credential mapping for the target can be changed without editing the system that uses the credential.

16.1.5 Using the Credential Store

The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. The Enterprise Manager administrator's user name has a logical private credential store. Individual credentials can be identified by credential names. Enterprise Manager administrators can add, edit, and delete named credentials in the credential store.

16.1.6 About the Credential Reference

The credential reference is a way to refer to a credential. There are three ways credentials can be referenced:

  • Credential Name

    The credential is referenced using the name of the credential in the credential store.

  • Credential Set

    The credential is referenced using the credential set name and the target name. The lookup retrieves the credential associated with the credential set name and target name.

  • Direct

    The credential is specified by providing the values of the attributes. This reference does not refer to a credential in the credential store.

16.2 Defining Credential Metadata

Credential metadata is defined within the target type metadata file. See Chapter 3, "Creating Target Metadata Files" for more information about this file.

All credential metadata for a target type is defined within the CredentialInfo element. This element in turn contains the following subelements:

  • A CredentialType element that defines the type of credentials to be used to access target instances

  • A CredentialSet element that instantiates an instance of CredentialType

The following example defines username and password the credentials required to authenticate with hosts running instances of the target.

Example 16-1 Credential Metadata


 <!-- The types of credentials: target host username/password -->
  <CredentialType NAME="HostCreds">
    <Label NLSID="CREDS_HOST_HOSTCREDS">Host Credentials</Label>
   <CredentialTypeColumn NAME="HostUserName" IS_KEY="TRUE">
    <Label NLSID="CREDS_HOST_USERNAME">UserName</Label>
  <CredentialTypeColumn NAME="HostPassword">
    <Label NLSID="CREDS_HOST_Password">Password</Label>
<!-- The CredentialSet that creates an instance of CredentialType -->
 <CredentialSet NAME="HostCredsNormal" CREDENTIAL_TYPE="HostCreds"
   <Label NLSID="CREDS_HOST_HOSTCREDS_NORMAL">Normal Host Credentials</Label>
  <CredentialSetColumn TYPE_COLUMN="HostUserName" SET_COLUMN="username">
    <Label NLSID="CREDS_NORMAL_USER">Normal Username</Label>
  <CredentialSetColumn TYPE_COLUMN="HostPassword" SET_COLUMN="password">
    <Label NLSID="CREDS_NORMAL_PASSWORD">Normal Password</Label>

16.2.1 Overview of Credential Elements

The key elements that define credentials are described in the following table:

Table 16-1 Key elements in a plugin.xml file

Element Required (Y/N) Description



The root element for the credentials definition. Contains CredentialType and CredentialSet elements.



Contains one or more CredentialTypeColumn elements, each defining a credential such as "TargetUsername" or "TargetPassword". Used to access target instances.



Instatiates an instance of the credential set defined in CredentialType. It includes the following attributes:


    Identifies the CredentialType from which this CredentialSet is created.


    Values are MONITORING (default), which is used to directly connect to the target, PREFERRED_CRED, which is the user's preferred credentials, or SYSTEM, which is used by specialized applications such as patching or cloning.



A subelement of CredentialType. Defines a single credential and maps that credential to its corresponding column in the CredentialType. It includes the following attributes:


    Specifies the CredentialTypeColumn that this CredentialSetColumn maps to.


    Identifies the column definition in the CredentialSet.