Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Security Overview

• 1.1 Security Threats
• 1.2 Security Principles
  • 1.2.1 Separation of Duties and Principle of Least Privilege
  • 1.2.2 Encryption
  • 1.2.3 Monitoring for Suspicious Activity (Auditing)
  • 1.2.4 Non-repudiation

2 Security Features

• 2.1 Configuring Authentication
  • 2.1.1 Supported Authentication Schemes
  • 2.1.2 Creating a New Administrator
    • 2.1.2.1 Repository Based Authentication
    • 2.1.2.2 Restoring to the Default Authentication Method
  • 2.1.3 Deleting an Administrator
  • 2.1.4 Oracle Access Manager Single Sign-On Based Authentication
    • 2.1.4.1 Prerequisites
    • 2.1.4.2 Removing Oracle Access Manager Single Sign-On
    • 2.1.4.3 Oracle Application Server Single Sign-On (SSO) Based Authentication
  • 2.1.5 Enterprise User Security Based Authentication
    • 2.1.5.1 Registering Enterprise Users (EUS Users) as Enterprise Manager Users
  • 2.1.6 Oracle Internet Directory (OID)
    • 2.1.6.1 Prerequisites
    • 2.1.6.2 Testing the OID Configuration
  • 2.1.7 Microsoft Active Directory Based Authentication
    • 2.1.7.1 Testing the Microsoft Active Directory Configuration
  • 2.1.8 External Authorization using External Roles
    • 2.1.8.1 Auto Provisioning
    • 2.1.8.2 Using a Different Name to the External Users Display Name
  • 2.1.9 Mapping LDAP User Attributes to Enterprise Manager User Attributes
  • 2.1.10 Changing User Display Names in Enterprise Manager
  • 2.1.11 Configuring Other LDAP/SSO Providers
    • 2.1.11.1 Configuring Single Sign-on based Authentication
  • 2.1.12 Configuring Enterprise User Security based Authentication
  • 2.1.13 Restoring to the Default Authentication Method
    • 2.1.13.1 Bypassing the Single Sign-On Logon Page
    • 2.1.13.2 Restoring the Default Authentication Method
• 2.2 Configuring Privileges and Role Authorization
  • 2.2.1 Understanding Users, Privileges, and Roles
    • 2.2.1.1 Classes of Users
    • 2.2.1.2 Aggregate Target Privileges
  • 2.2.2 Privileges and Roles
    • 2.2.2.1 Administrators and Database Privileges
    • 2.2.2.2 Granting Privileges
    • 2.2.2.3 Fine-grained Access Control
    • 2.2.2.4 Creating Roles
    • 2.2.2.5 Private Roles
    • 2.2.2.6 Using Roles to Manage Privileges
  • 2.2.3 Managing Privileges with Privilege Propagating Groups
    • 2.2.3.1 Example1: Granting various teams different levels of access to target groups
    • 2.2.3.2 Example2: Granting developers view access to target database instances.
    • 2.2.3.3 Entitlement Summary
• 2.3 Configuring Secure Communication
  • 2.3.1 About Secure Communication
  • 2.3.2 Enabling Security for the Oracle Management Service
    • 2.3.2.1 Configuring the OMS with Server Load Balancer
    • 2.3.2.2 Creating a New Certificate Authority
    • 2.3.2.3 Viewing the Security Status and OMS Port Information
    • 2.3.2.4 Configuring Transport Layer Security
  • 2.3.3 Securing the Oracle Management Agent
  • 2.3.4 Managing Agent Registration Passwords
    • 2.3.4.1 Using the Cloud Control Console to Manage Agent Registration Passwords
    • 2.3.4.2 Using emctl to Add a New Agent Registration Password
  • 2.3.5 Restricting HTTP Access to the Management Service
  • 2.3.6 Enabling Security for the Management Repository Database
    • 2.3.6.1 About Oracle Advanced Security and the sqlnet.ora Configuration File
    • 2.3.6.2 Configuring the Management Service to Connect to a Secure Management Repository Database
    • 2.3.6.3 Enabling Oracle Advanced Security for the Management Repository
    • 2.3.6.4 Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
  • 2.3.7 Custom Configurations
    • 2.3.7.1 Configuring Custom Certificates for WebLogic Server
    • 2.3.7.2 Configuring Custom Certificates for OMS Console Access
    • 2.3.7.3 Configuring Custom Certificates for OMS Upload Access
    • 2.3.7.4 Configuring Transport Layer Security
  • 2.3.8 Secure Communication Setup Tools
    • 2.3.8.1 emctl secure oms
    • 2.3.8.2 emctl secure agent
    • 2.3.8.3 emctl secure wls
    • 2.3.8.4 emctl status oms -details
  • 2.3.9 Configuring Third Party Certificates
    • 2.3.9.1 Configuring a Third Party Certificate for HTTPS Console Users
    • 2.3.9.2 Configuring Third Party Certificate for HTTPS Upload Virtual Host
• 2.4 Configuring and Using Target Credentials
  • 2.4.1 Credential Subsystem
    • 2.4.1.1 Named Credentials
    • 2.4.1.2 Privileged Credentials
    • 2.4.1.3 Monitoring Credentials
    • 2.4.1.4 Preferred Credentials
    • 2.4.1.5 Saving Preferred Credentials for Hosts and Oracle Homes
    • 2.4.1.6 Saving Preferred Credentials to Access My Oracle Support
    • 2.4.1.7 Managing Credentials Using EM CLI
    • 2.4.1.8 Host Authentication Features
• 2.5 Configuring and Using Cryptograhic Keys
  • 2.5.1 Configuring the emkey
  • 2.5.2 emctl Commands
    • 2.5.2.1 emctl status emkey
    • 2.5.2.2 emctl config emkey -copy_to_credstore
    • 2.5.2.3 emctl config emkey -copy_to_file_from_credstore
    • 2.5.2.4 emctl config emkey -copy_to_file_from_repos
    • 2.5.2.5 emctl config emkey -copy_to_credstore_from_file
    • 2.5.2.6 emctl config emkey -copy_to_repos_from_file
    • 2.5.2.7 emctl config emkey -remove_from_repos
  • 2.5.3 Install and Upgrade Scenarios
    • 2.5.3.1 Installing the Management Repository
    • 2.5.3.2 Installing the First Oracle Management Service
    • 2.5.3.3 Upgrading from 10.2 or 11.1 to 12.1
    • 2.5.3.4 Recreating the Management Repository
• 2.6 Configuring and Managing Audit
  • 2.6.1 Auditing Credentials
  • 2.6.2 Default Audit Actions
  • 2.6.3 Configuring the Enterprise Manager Audit System
  • 2.6.4 Configuring the Audit Data Export Service
  • 2.6.5 Updating the Audit Settings
  • 2.6.6 Searching the Audit Data
  • 2.6.7 List of Operations Audited
  • 2.6.8 Auditing the Infrastructure
• 2.7 Additional Security Considerations
  • 2.7.1 Changing the SYSMAN and MGMT_VIEW Passwords
    • 2.7.1.1 Changing the SYSMAN User Password
    • 2.7.1.2 Changing the MGMT_VIEW User Password
  • 2.7.2 Responding to Browser-Specific Security Certificate Alerts
    • 2.7.2.1 Third Party Certificate Workflow
    • 2.7.2.2 Responding to the Internet Explorer Security Alert Dialog Box
    • 2.7.2.3 Responding to the Mozilla Firefox New Site Certificate Dialog Box
    • 2.7.2.4 Responding to the Google Chrome Security Alert Dialog Box
    • 2.7.2.5 Responding to Safari Security Dialog Box

3 Keeping Enterprise Manager Secure

• 3.1 Guidelines for Secure Infrastructure and Installations
  • 3.1.1 Secure the Infrastructure and Operating System
    • 3.1.1.1 Best Practices for Securing the Infrastructure and Operating System
  • 3.1.2 Securing the Oracle Management Repository
    • 3.1.2.1 Enable Advanced Security Option
  • 3.1.3 Securing the Oracle Management Agent
    • 3.1.3.1 Best Practices for Securing the Oracle Management Agent
  • 3.1.4 Secure Communication
    • 3.1.4.1 Enable ICMP
    • 3.1.4.2 Configure Oracle Management Agent for Firewalls
    • 3.1.4.3 Configure Oracle Management Service for Firewalls
  • 3.1.5 Updating the Management Service and Agents to Use SHA2 SSL Certificates
    • 3.1.5.1 Upgrading to SHA2 Certificates
    • 3.1.5.2 Oracle Management Service Upload Certificate
    • 3.1.5.3 Verify the Oracle Management Service Console Certificate
    • 3.1.5.4 Verify the Oracle Management Service CA Certificate
    • 3.1.5.5 Verify the Management Agent Certificates
    • 3.1.5.6 Database Queries
  • 3.1.6 Security Console
    • 3.1.6.1 Overview
    • 3.1.6.2 Pluggable Authentication
    • 3.1.6.3 Flexible Db Access Control
    • 3.1.6.4 Secure Communication
    • 3.1.6.5 Credentials Management
    • 3.1.6.6 Comprehensive Auditing
    • 3.1.6.7 Active User Session Count
    • 3.1.6.8 Best Practices Analysis
• 3.2 Guidelines for SSL Communication
  • 3.2.1 Configure TLSv1 Protocol
  • 3.2.2 Leave Communication in Secure-Lock Mode
    • 3.2.2.1 Secure and Lock the OMS and Agents
  • 3.2.3 Disable Weak Ciphers
    • 3.2.3.1 Third Party Certificates
    • 3.2.3.2 Oracle Wallets
  • 3.2.4 Best Practices for Securing Communication
• 3.3 Guidelines for Authentication
  • 3.3.1 Enable External Authentication
    • 3.3.1.1 Best Practices for Authentication
• 3.4 Guidelines for Authorization
  • 3.4.1 Best Practices for Privilege and Role Management
  • 3.4.2 Use Principle of Least Privileges for Defining Roles/Privileges
  • 3.4.3 Use Privilege Propagation Groups
    • 3.4.3.1 Best Practices for Groups and Systems
• 3.5 Guidelines for Auditing
  • 3.5.1 Best Practices for Auditing
• 3.6 Guidelines for Managing Target Credentials
  • 3.6.1 Best Practices for Credentials

4 Troubleshooting

• 4.1 Troubleshooting Authentication Issues in Enterprise Manager
  • 4.1.1 Enabling the WebLogic Debug Flag
  • 4.1.2 Debugging errors in ldap_trace.logATN file
  • 4.1.3 Invalid Credentials
  • 4.1.4 Timeout in LDAP Server'
  • 4.1.5 Errors Outside ldap_trace.logATN'

5 References

A Roles

• A.1 Out-of-Box Roles
• A.2 User Access to Database Targets without SYSDBA Privileges
  • A.2.1 Creating an Administrator
  • A.2.2 Users Requiring Access to the Database Performance Page
  • A.2.3 User Requiring Accessing AWR/ADDM
  • A.2.4 User Requiring Access to SQL Access Advisor
  • A.2.5 User Requiring Access to SQL Tuning Advisor

B Privileges

C Audit Operations

Index