Go to main content
1/12
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Security Overview
1.1
Security Threats
1.2
Security Principles
1.2.1
Separation of Duties and Principle of Least Privilege
1.2.2
Encryption
1.2.3
Monitoring for Suspicious Activity (Auditing)
1.2.4
Non-repudiation
2
Security Features
2.1
Configuring Authentication
2.1.1
Supported Authentication Schemes
2.1.2
Creating a New Administrator
2.1.2.1
Repository Based Authentication
2.1.2.2
Restoring to the Default Authentication Method
2.1.3
Deleting an Administrator
2.1.4
Oracle Access Manager Single Sign-On Based Authentication
2.1.4.1
Prerequisites
2.1.4.2
Removing Oracle Access Manager Single Sign-On
2.1.4.3
Oracle Application Server Single Sign-On (SSO) Based Authentication
2.1.5
Enterprise User Security Based Authentication
2.1.5.1
Registering Enterprise Users (EUS Users) as Enterprise Manager Users
2.1.6
Oracle Internet Directory (OID)
2.1.6.1
Prerequisites
2.1.6.2
Testing the OID Configuration
2.1.7
Microsoft Active Directory Based Authentication
2.1.7.1
Testing the Microsoft Active Directory Configuration
2.1.8
External Authorization using External Roles
2.1.8.1
Auto Provisioning
2.1.8.2
Using a Different Name to the External Users Display Name
2.1.9
Mapping LDAP User Attributes to Enterprise Manager User Attributes
2.1.10
Changing User Display Names in Enterprise Manager
2.1.11
Configuring Other LDAP/SSO Providers
2.1.11.1
Configuring Single Sign-on based Authentication
2.1.12
Configuring Enterprise User Security based Authentication
2.1.13
Restoring to the Default Authentication Method
2.1.13.1
Bypassing the Single Sign-On Logon Page
2.1.13.2
Restoring the Default Authentication Method
2.2
Configuring Privileges and Role Authorization
2.2.1
Understanding Users, Privileges, and Roles
2.2.1.1
Classes of Users
2.2.1.2
Aggregate Target Privileges
2.2.2
Privileges and Roles
2.2.2.1
Administrators and Database Privileges
2.2.2.2
Granting Privileges
2.2.2.3
Fine-grained Access Control
2.2.2.4
Creating Roles
2.2.2.5
Private Roles
2.2.2.6
Using Roles to Manage Privileges
2.2.3
Managing Privileges with Privilege Propagating Groups
2.2.3.1
Example1: Granting various teams different levels of access to target groups
2.2.3.2
Example2: Granting developers view access to target database instances.
2.2.3.3
Entitlement Summary
2.3
Configuring Secure Communication
2.3.1
About Secure Communication
2.3.2
Enabling Security for the Oracle Management Service
2.3.2.1
Configuring the OMS with Server Load Balancer
2.3.2.2
Creating a New Certificate Authority
2.3.2.3
Viewing the Security Status and OMS Port Information
2.3.2.4
Configuring Transport Layer Security
2.3.3
Securing the Oracle Management Agent
2.3.4
Managing Agent Registration Passwords
2.3.4.1
Using the Cloud Control Console to Manage Agent Registration Passwords
2.3.4.2
Using emctl to Add a New Agent Registration Password
2.3.5
Restricting HTTP Access to the Management Service
2.3.6
Enabling Security for the Management Repository Database
2.3.6.1
About Oracle Advanced Security and the sqlnet.ora Configuration File
2.3.6.2
Configuring the Management Service to Connect to a Secure Management Repository Database
2.3.6.3
Enabling Oracle Advanced Security for the Management Repository
2.3.6.4
Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
2.3.7
Custom Configurations
2.3.7.1
Configuring Custom Certificates for WebLogic Server
2.3.7.2
Configuring Custom Certificates for OMS Console Access
2.3.7.3
Configuring Custom Certificates for OMS Upload Access
2.3.7.4
Configuring Transport Layer Security
2.3.8
Secure Communication Setup Tools
2.3.8.1
emctl secure oms
2.3.8.2
emctl secure agent
2.3.8.3
emctl secure wls
2.3.8.4
emctl status oms -details
2.3.9
Configuring Third Party Certificates
2.3.9.1
Configuring a Third Party Certificate for HTTPS Console Users
2.3.9.2
Configuring Third Party Certificate for HTTPS Upload Virtual Host
2.4
Configuring and Using Target Credentials
2.4.1
Credential Subsystem
2.4.1.1
Named Credential
s
2.4.1.2
Privileged Credentials
2.4.1.3
Monitoring Credentials
2.4.1.4
Preferred Credentials
2.4.1.5
Saving Preferred Credentials for Hosts and Oracle Homes
2.4.1.6
Saving Preferred Credentials to Access My Oracle Support
2.4.1.7
Managing Credentials Using EM CLI
2.4.1.8
Host Authentication Features
2.5
Configuring and Using Cryptograhic Keys
2.5.1
Configuring the emkey
2.5.2
emctl Commands
2.5.2.1
emctl status emkey
2.5.2.2
emctl config emkey -copy_to_credstore
2.5.2.3
emctl config emkey -copy_to_file_from_credstore
2.5.2.4
emctl config emkey -copy_to_file_from_repos
2.5.2.5
emctl config emkey -copy_to_credstore_from_file
2.5.2.6
emctl config emkey -copy_to_repos_from_file
2.5.2.7
emctl config emkey -remove_from_repos
2.5.3
Install and Upgrade Scenarios
2.5.3.1
Installing the Management Repository
2.5.3.2
Installing the First Oracle Management Service
2.5.3.3
Upgrading from 10.2 or 11.1 to 12.1
2.5.3.4
Recreating the Management Repository
2.6
Configuring and Managing Audit
2.6.1
Auditing Credentials
2.6.2
Default Audit Actions
2.6.3
Configuring the Enterprise Manager Audit System
2.6.4
Configuring the Audit Data Export Service
2.6.5
Updating the Audit Settings
2.6.6
Searching the Audit Data
2.6.7
List of Operations Audited
2.6.8
Auditing the Infrastructure
2.7
Additional Security Considerations
2.7.1
Changing the SYSMAN and MGMT_VIEW Passwords
2.7.1.1
Changing the SYSMAN User Password
2.7.1.2
Changing the MGMT_VIEW User Password
2.7.2
Responding to Browser-Specific Security Certificate Alerts
2.7.2.1
Third Party Certificate Workflow
2.7.2.2
Responding to the Internet Explorer Security Alert Dialog Box
2.7.2.3
Responding to the Mozilla Firefox New Site Certificate Dialog Box
2.7.2.4
Responding to the Google Chrome Security Alert Dialog Box
2.7.2.5
Responding to Safari Security Dialog Box
3
Keeping Enterprise Manager Secure
3.1
Guidelines for Secure Infrastructure and Installations
3.1.1
Secure the Infrastructure and Operating System
3.1.1.1
Best Practices for Securing the Infrastructure and Operating System
3.1.2
Securing the Oracle Management Repository
3.1.2.1
Enable Advanced Security Option
3.1.3
Securing the Oracle Management Agent
3.1.3.1
Best Practices for Securing the Oracle Management Agent
3.1.4
Secure Communication
3.1.4.1
Enable ICMP
3.1.4.2
Configure Oracle Management Agent for Firewalls
3.1.4.3
Configure Oracle Management Service for Firewalls
3.1.5
Updating the Management Service and Agents to Use SHA2 SSL Certificates
3.1.5.1
Upgrading to SHA2 Certificates
3.1.5.2
Oracle Management Service Upload Certificate
3.1.5.3
Verify the Oracle Management Service Console Certificate
3.1.5.4
Verify the Oracle Management Service CA Certificate
3.1.5.5
Verify the Management Agent Certificates
3.1.5.6
Database Queries
3.1.6
Security Console
3.1.6.1
Overview
3.1.6.2
Pluggable Authentication
3.1.6.3
Flexible Db Access Control
3.1.6.4
Secure Communication
3.1.6.5
Credentials Management
3.1.6.6
Comprehensive Auditing
3.1.6.7
Active User Session Count
3.1.6.8
Best Practices Analysis
3.2
Guidelines for SSL Communication
3.2.1
Configure TLSv1 Protocol
3.2.2
Leave Communication in Secure-Lock Mode
3.2.2.1
Secure and Lock the OMS and Agents
3.2.3
Disable Weak Ciphers
3.2.3.1
Third Party Certificates
3.2.3.2
Oracle Wallets
3.2.4
Best Practices for Securing Communication
3.3
Guidelines for Authentication
3.3.1
Enable External Authentication
3.3.1.1
Best Practices for Authentication
3.4
Guidelines for Authorization
3.4.1
Best Practices for Privilege and Role Management
3.4.2
Use Principle of Least Privileges for Defining Roles/Privileges
3.4.3
Use Privilege Propagation Groups
3.4.3.1
Best Practices for Groups and Systems
3.5
Guidelines for Auditing
3.5.1
Best Practices for Auditing
3.6
Guidelines for Managing Target Credentials
3.6.1
Best Practices for Credentials
4
Troubleshooting
4.1
Troubleshooting Authentication Issues in Enterprise Manager
4.1.1
Enabling the WebLogic Debug Flag
4.1.2
Debugging errors in ldap_trace.logATN file
4.1.3
Invalid Credentials
4.1.4
Timeout in LDAP Server'
4.1.5
Errors Outside ldap_trace.logATN'
5
References
A
Roles
A.1
Out-of-Box Roles
A.2
User Access to Database Targets without SYSDBA Privileges
A.2.1
Creating an Administrator
A.2.2
Users Requiring Access to the Database Performance Page
A.2.3
User Requiring Accessing AWR/ADDM
A.2.4
User Requiring Access to SQL Access Advisor
A.2.5
User Requiring Access to SQL Tuning Advisor
B
Privileges
C
Audit Operations
Index
Scripting on this page enhances content navigation, but does not change the content in any way.