3 Security Features

Oracle Enterprise Manager Ops Center provides security services for user authentication, custom user authorization, and protection for data in repositories and during network transmissions. Oracle Enterprise Manager Ops Center also provides network authentication between its infrastructure components using standard certificates.

Oracle Enterprise Manager Ops Center uses standard protocols and third-party solutions to secure data and operations, using TLS and X.509v3 certificates, and secure HTTP and PAM (Pluggable Authentication Modules) protocols to provide the following services:

Authentication
Authorization
Access Control
Data Protection

3.1 Configuring and Using Authentication

Authentication allows a system to verify the identity of users and other systems that request access to services or data. In a multi-tier application, the entity or caller can be a human user, a business application, a host, or one entity acting on behalf of another entity.

3.1.1 Identity Management for Users

Users log in to the browser interface to use the product. The credentials must be valid for the Oracle Enterprise Manager Ops Center installation.

Add users to Oracle Enterprise Manager Ops Center from the local authentication subsystem of the Enterprise Controller's operating system or from a separate directory server.

3.1.1.1 Configuring an LDAP Server

You can add directory servers to Oracle Enterprise Manager Ops Center. Users and roles are added to the product from the directory server. The information in this section is also in the Oracle Enterprise Manager Ops Center Administration Guide.

To grant roles to the users in a directory server, you create groups on the directory server that correspond to the roles in Oracle Enterprise Manager Ops Center. You grant a role to a user by adding the user to the corresponding group, and remove a role from a user by removing them from the group. You cannot edit the roles of a directory server user through the Oracle Enterprise Manager Ops Center user interface.

Users that are added from a directory server begin with complete privileges for each of their roles.

To Configure the Directory Server

You must configure the remote directory server before adding it to Oracle Enterprise Manager Ops Center.

Create the following user groups on the directory server:
- ASSET_ADMIN
- CLOUD_ADMIN
- CLOUD_USER
- EXALOGIC_ADMIN
- FAULT_ADMIN
- NETWORK_ADMIN
- OPS_CENTER_ADMIN
- PROFILE_PLAN_ADMIN
- READ
- REPORT_ADMIN
- ROLE_ADMIN
- SECURITY_ADMIN
- SERVER_DEPLOY_ADMIN
- STORAGE_ADMIN
- Update_ADMIN
- Update_SIM_ADMIN
- USER_ADMIN
- VIRT_ADMIN
Add users to these groups. The users within each group are given the role corresponding to the group.

To Add a Directory Server

Select Administration in the Navigation pane.
Click Directory Servers.
Click the Add Directory Server icon.

The Remote Directory Server Connection Settings page is displayed.
Enter the following connection settings:
- Name: The name of the directory server.
- Host: The host name of the directory server.
- Port: The port number to be used to access the directory server.
- SSL: Check this box to use TLS to connect to the directory server.
- Anonymous Bind: Check this box to use anonymous binding to access the directory server.
- Username: The user name used to access the directory server. Username is required only if Anonymous Bind is not checked.
- Password: The password for the given user name. Password is required only if Anonymous Bind is not checked.
- Authentication: Select Use Directory Server for Authentication or Use Ops Center Local Authentication.
Click Next.

The Remote Directory Server Schema Settings page is displayed.
Enter the following schema settings:
- Root suffix: The root node of the directory tree.
- Group search DN: The container or operational unit in which to search for the role groups.
- Group search scope: The scope of the group search. Select Search One Level or Search Subtree.
- User search DN: The container or operational unit in which to search for users.
- User search scope: The scope of the user search. Acceptable values are base, one, subtree, baseObject, singleLevel, wholeSubtree, or subordinateSubtree.
- User search filter: An LDAP search filter which users must meet for inclusion.
Click Next.

The Summary page is displayed.
Review the summary, then click Add Directory Server.

3.1.1.2 Configuring PAM Authentication

Oracle Enterprise Manager Ops Center uses Pluggable Authentication Modules (PAM) to validate credentials for user accounts of users who log in to the browser interface. The default PAM service allows Oracle Enterprise Manager Ops Center users to log in to the system in the standard way.

The pam-service-name parameter sets the PAM service for the oem-ec instance of the cacao daemon.

Oracle Solaris: The default value is pam-service-name=other
Linux: The default value is pam-service-name=passwd

If you require control of Oracle Enterprise Manager Ops Center's PAM configuration, create a PAM service with a different service name, which uses different PAM modules.

To see the current value of the pam-service-name parameter, use the following cacaoadm command:

./cacaoadm get-param -i oem-ec pam-service-name

To change the authentication service from the operating system's default to a different service name, use the following procedure. If this is a High Availability environment, perform the procedure on both the primary node and on the standby node.

On a Linux system, create a configuration file or edit the existing configuration file for the service to use. The configuration file has the same name as the service.
```
/etc/pam.d/filename
```
On an Oracle Solaris 10 system, edit the following file:
```
/etc/pam.conf
```

Change the contents of the configuration file. For example:

auth       required     pam_warn.so debug
auth       required     pam_safeword.so.1 debug
account    include      system-auth
password   include      system-auth

To initialize the PAM service with the new configuration, stop the Enterprise Controller:
```
/opt/sun/xvmoc/bin/satadm stop
```

Change the value of the pam-service-name parameter

./cacaoadm set-param -i oem-ec pam-service-name=opscenter

Verify the change:

./cacaoadm get-param -i oem-ec pam-service-name

Restart the Enterprise Controller:
```
/opt/sun/xvmoc/bin/satadm start
```

Note:

If you use the SafeNet SafeWord® Agent for PAM software (pam_safeword.so), you can use the SafeWord static password mode or single-use dynamic password mode, but you cannot use the dynamic challenge password mode. To use single-use dynamic passwords, you must modify the pam_safeword.cfg file to ensure that the User ID source is set to SYSTEM and not USER. The SYSTEM setting causes the authentication process to get the User ID from the /etc/passwd file.

3.1.2 Credentials for My Oracle Support

In Connected mode, the Oracle Enterprise Manager Ops Center software requires the user to provide one or more sets of My Oracle Support credentials. These credentials are used to authenticate and authorize downloading product updates, creating Service Requests, and retrieving warranty information, in addition to the initial authentication between the Enterprise Controller's system and My Oracle Support.

3.1.3 Credentials for IAAS and Cloud Deployments

Some commands for the IAAS platform require a parameter for the location of the private key file. Because the private key authenticates a cloud user, this file is sensitive and must be managed as a security risk:

The file must be owned by the user running the IAAS command-line interface.
The file must have the highest restrictive permission: read-only by file owner.

3.2 Configuring and Using Authorization

Authorization allows a system to determine the privileges which users and other systems have for accessing resources on that system.

Roles grant users the ability to use the different functions of Oracle Enterprise Manager Ops Center. By giving a role to a user, an administrator can control what functions are available to that user and for which groups of assets.

An Enterprise Controller Admin can grant users different roles for the Enterprise Controller, the All Assets group, and any user-defined groups. A user who is assigned a role for a group receives the same role for all subgroups. See Follow the Principle of Least Privilege for a list of the available roles and their functions.

Caution:

A user with the Apply Deployment Plans, Exalogic Systems Admin, or SuperCluster Systems Admin role can apply an operational profile to a managed system using root access. Take care when assigning these roles because the role allows the user to use an operational profile to run scripts.

3.2.1 Credential Management for Assets

Oracle Enterprise Manager Ops Center uses credentials to discover and manage assets and to establish trust between internal components. Examples of the types of credentials managed by Oracle Enterprise Manager Ops Center include:

SSH credentials for Operating System instances and hardware service processors.
IPMI credentials for hardware service processors

To see a list of all the types of credentials, select Credentials in the Administration section, then click Create Credentials in the Actions pane. The drop-down list shows all of the supported protocols.

Oracle Enterprise Manager Ops Center requires remote network access and administrative privileges to discover and manage an asset. This can be done either by using a privileged account or by combining the credentials of a non-privileged user account with the credentials for the administrative account. In this case, Oracle Enterprise Manager Ops Center uses the non-privileged user account to connect to the system and then uses the administrative account to inquire about the characteristics of the system.

To discover an ILOM system, the account must have administrator privileges on the system, and both IPMI and ssh credentials must be provided.

Note:

IPMI communications from the Proxy Controller to the ILOM system are not encrypted. To protect the transmissions, isolate the ILOM system and the Proxy Controller it uses within your private administrative network.

3.2.1.1 Using SSH Key-Based Authentication

If you prefer not to use password-based SSH credentials, create an SSH key to get access to remote assets, such as operating systems, ILOM service processors, and XSCF service processors. The assets must support the SSH protocol. Oracle Enterprise Manager Ops Center does not protect the SSH keys. If you choose to use this method, you must ensure the following:

You must create the SSH key on each Proxy Controller that needs to get access to the asset.
For an OS asset, you must add the SSH public key to the ~/.ssh/authorized_keys file. For a hardware asset, you must use the asset's Web interface to upload the public SSH key.

To create the SSH key, use the Create Credentials action.

Enter a name for the key.
Click the Custom SSH key button, as shown in Figure 3-1, to enable the remaining fields.

Figure 3-1 Creating an SSH Public Key

Description of "Figure 3-1 Creating an SSH Public Key"
In Login User, enter the name of the account that uses this key.
The location of the key file is set to the default location for the sshkey-gen utility. If your site uses a different location, edit this field.
(Optional) For OS assets, create a privileged user such as root, or a non-privileged user with keys. Provide a password for the role.

The passphrase is an optional addition to the password and is created at the same time as the key.
Click Create to create the SSH key.

3.2.1.2 Creating Credentials for Access to the Serial Console or SSH Tunnel

The information is this section is also in the Oracle Enterprise Manager Ops Center Feature Reference Guide.

To enable a connection to a service processor or virtual machine, define the user account that Oracle Enterprise Manager Ops Center uses to open an SSH tunnel on the Enterprise Controller or to create a serial connection.

Note:

If you do not specify this account, Oracle Enterprise Manager Ops Center creates an account each time it accesses a serial console and deletes the account when the connection is no longer needed. This activity might not conform to your site's security policy.

The following types of assets use SSH to connect to a serial console. Create an account for each type and define the same password for each account.

Proxy Controllers
Global zones that use agents and require access to the consoles of non-global zones
Control domains that use agents and require access to the consoles of logical domains

To create the account, define the ConsoleSSHCredname system property using the procedure in Defining the system property for console access and then define a user account for that property using either the procedure in Creating the account using Oracle Enterprise Manager Ops Center or the procedure in Creating the account using the useradd command.

Defining the system property for console access

Select the Administration section in the Navigation pane.
Select the Configuration tab in the center pane.
In the Subsystem list, select Console Access Configuration. The ConsoleSSH.Credname system property is displayed.
Click in the Values column.
Enter the name of the new user account. For example, SERIALCONSOLE_CRED1.

Figure 3-2 Configuring Console Access

Description of "Figure 3-2 Configuring Console Access "
Click Save.

When the job is completed, define the account using the following procedure.

Creating the account using Oracle Enterprise Manager Ops Center

You must have the Security Admin role to perform this procedure.

After you define the user account, the account is created automatically in /etc/passwd the first time a job for console access is run. However, if your site's security policy requires that the operating system account must be created outside of Oracle Enterprise Manager Ops Center's control or if you prefer to create the account manually, use the procedure described in Creating the account using the useradd command.

Select the Administration in the Navigation pane.
Select Credentials in the Navigation pane.
Click Create Credentials in the Actions pane.
Select the SERIAL_CONSOLE_SSH protocol and enter the following details:
- Name of the credential: Enter the value of the ConsoleSSH.Credname system property. In this example, SERIALCONSOLE_CRED1.
- Login User: Enter a convenient or descriptive name for the user account, for example, ConsoleAccess.
- Password for the user account and its confirmation.
Figure 3-3 User Account for Console Access

Description of "Figure 3-3 User Account for Console Access "
Click Create to submit the job.

Creating the account using the useradd command

Create the home directory for the account. In the following example, the account is named consolex:
```
mkdir /var/tmp/consolex
```
Add the user account with its shell, /opt/sun/n1gc/bin/serial_console:
```
useradd -s "/opt/sun/n1gc/bin/serial_console" -d /var/tmp/consolex -u uid -P "profile" -A "solaris.zone.manage" consolex
```
where uid is an available user ID on the Enterprise Controller's system and profile is either LDoms Review for a control domain or Zone Management for a global zone. The -A option is a feature of Oracle Solaris 11's useradd(1m) command that includes an authorization defined in auth_attr(4).

Change the ownership of the home directory:

/bin/chown consolex /var/tmp/consolex
/bin/chmod 700 /var/tmp/consolex

Set and confirm the password for the account:
```
passwd consolex
```

3.2.1.3 Using the agentadm Command to Manage Assets

The information in this section is also in the Oracle Enterprise Manager Ops Center Feature Reference Guide.

Although it is possible to discover assets without providing credentials, Oracle Enterprise Manager Ops Center is limited in its ability to manage or monitor these assets. If you prefer not to store credentials for assets in the product software, install the Agent Controller on each asset manually.

Use these procedures to install an Agent Controller and to register the target system.

Before You Begin

To use the agentadm command, you need the following information:

To configure your Agent Controller software using an administrative user account on the Enterprise Controller you need:
- User name: the user account provides authentication that supports Agent Controller registration. Use the user name of this account as the argument for the -u option of the agentadm command.
- Password: use this password to populate the /var/tmp/OC/mypasswd file. Then use this file name as the argument for the -p option of the agentadm command.
The auto-reg-token registration token from the /var/opt/sun/xvm/persistence/scn-proxy/connection.properties file on the appropriate Proxy Controller – If you decide not to use user credentials to configure your Agent Controller software, use this token to populate the /var/tmp/OC/mytoken file. Then use this file name as the argument for the agentadm -t option.
IP address or host name of the Proxy Controller with which you will associate the Agent Controller – Use this IP address or host name as the argument for the agentadm -x option. Typically, you would associate the Agent Controller with the Proxy Controller that is connected to the same subnet as the target system.
The IP address of the network interface that the Agent Controller will use for registration – Use this IP address as the argument for the agentadm -a option.

Some example agentadm commands in this procedure use the alternative administrative user name droot. In these examples, the droot user exists on the Enterprise Controller.

When you install an Agent Controller on a global zone, the Agent Controller installation installs, or upgrades to Java Runtime Environment (JRE) 1.6.0_51. Later versions of JRE are not affected.

3.2.1.3.1 Using User Credentials to Install and Configure an Agent Controller Manually

This procedure creates a file that holds the password of the administrative user for your Oracle Enterprise Manager Ops Center installation.

On the Enterprise Controller, change to the /var/opt/sun/xvm/images/agent/ directory, and list the files that it contains to see the Agent Controller installation archives. For example:

# cd /var/opt/sun/xvm/images/agent/
# ls
OpsCenterAgent.Linux.i686.12.2.0.2503.zip
OpsCenterAgent.Linux.i686.12.2.0.2503.zip.sig
OpsCenterAgent.Solaris.i386.12.2.0.2503.zip
OpsCenterAgent.Solaris.i386.12.2.0.2503.zip.sig
OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip
OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip.sig
OpsCenterAgent.SolarisIPS.all.12.2.0.2503.zip
OpsCenterAgent.SolarisIPS.all.12.2.0.2503.zip.sig
#

Identify the Agent Controller archive that is appropriate for the system where you intend to install the Agent Controller, the target system. See Table 3-1 for a description of the available packages.

Table 3-1 Agent Controller Packages and Their Operating System and Architecture

File prefix	Operating System / Architecture
OpsCenterAgent.Linux.i686	Oracle Linux/x86
OpsCenterAgent.Solaris.i386	Oracle Solaris 10/x86
OpsCenterAgent.Solaris.sparc	Oracle Solaris 10 / Oracle SPARC
OpsCenterAgent.SolarisIPS.all	Oracle Solaris 11 / x86 and Oracle SPARC

On the system where you want to install the Agent Controller, create the following directory:
```
# mkdir /var/tmp/OC
```

Use scp or ftp to transfer the Agent Controller archive from the Enterprise Controller to the /var/tmp/OC directory. Respond to any authentication or confirmation prompts that are displayed. For example:

# scp OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip root@10.0.0.0:/var/tmp/OC
Password:
OpsCenterAgent.S 100% |*********************************************************************| 187078 KB 00:32
#

Navigate to the /var/tmp/OC directory:
```
# cd /var/tmp/OC
#
```
Use the unzip command to uncompress the Agent Controller archive. For example:
```
# unzip OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip
(output omitted)
```

If you are installing the Agent Controller on Oracle Solaris 8-10, run the install -a script in the OpsCenterAgent directory. For example:

# OpsCenterAgent/install -a
Installing Ops Center Agent Controller.
No need to install 120900-04.
No need to install 121133-02.
No need to install 119254-63.
No need to install 119042-09.
No need to install 121901-02.
No need to install 137321-01.
Installed SUNWjdmk-runtime.
Installed SUNWjdmk-runtime-jmx.
(output omitted)
6 patches skipped.
19 packages installed.
Installation complete.
Detailed installation log is at /var/scn/install/log.
Uninstall using /var/scn/install/uninstall.

If you are installing the Agent Controller on Oracle Solaris 11, run the install command with the -p option and specify the IP address. The command configures a local IPS repository using the IP address. For example:

# OpsCenterAgent/install -p 10.0.0.1

If you are installing an Oracle VM Server Virtualization Controller Agent, use the -l (or --ldom) option.

Create an empty file named /var/tmp/OC/mypasswd, and set its permission mode to 400. For example:
```
# touch /var/tmp/OC/mypasswd
# chmod 400 /var/tmp/OC/mypasswd
```
Edit the /var/tmp/OC/mypasswd file to add the password for the administrative user that exists on the Enterprise Controller to which the Proxy Controller is connected. The following echo command appends the password to the /var/tmp/OC/mypasswd file. Replace the password with the correct password. For example:
```
# echo 'password' > /var/tmp/OC/mypasswd
```
Use the agentadm command to associate the Agent Controller with the Proxy Controller.
- Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure
- Linux OS: /opt/sun/xvmoc/bin/agentadm configure
  
  The example commands below use the following options:
- -u: Specifies the administrative user that exists on the Enterprise Controller to which the Proxy Controller is connected. Be certain that the password that you specified in the /var/tmp/OC/mypasswd file is correct for the user that you specify for this option.
  
  Note:
  The examples use droot as the administrative user.
- -p: Specifies the absolute path name of the file that contains the password for the user that you specified with the -u option.
- -x: Specifies the IP address or host name of the Proxy Controller to which this Agent Controller will connect.
- -a: Specifies the IP address to use during Agent Controller registration. This selects the network interface that the Agent Controller will use for registration. Accept the server's certificate when prompted. For example:
```
# /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.0
agentadm: Version 1.0.3 launched with args: configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.1
workaround configuration done.
Certificate:
Serial Number: 947973225
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_Agent Controller
Not valid before: Thu Jun 19 15:36:59 MDT 1969
Not valid after: Thu Apr 19 15:36:59 MDT 2029
Certificate:
Serial Number: 1176469424
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_ca
Not valid before: Thu Jun 19 15:36:56 MDT 1969
Not valid after: Thu Apr 19 15:36:56 MDT 2029
Accept server's certificate? (y|n)
y
Connection registered successfully.
scn-Agent Controller configuration done.
Checking if UCE Agent Controller process is still running, it may take a couple of minutes ...
Process is no longer running
UCE Agent Controller is stopped.
UCE Agent Controller is in [online] state.
Checking if UCE Agent Controller process is up and running ...
The process is up and running.
UCE Agent Controller is started.
Added the zone configuration automation successfully.
Added the service tags recreate script successfully.
#
```
  Error messages similar to Connection cannot be registered in the following example typically indicate problems with the user credentials that you specified in the agentadm command. In this example, the user droot was not authenticated on the Enterprise Controller. If you see this error, check that the user name that you supplied for the agentadm -u option, and the password in the file that you specified for the agentadm -p option, match an existing administrative user on the Enterprise Controller.
```
Accept server's certificate? (y|n)
y
Error with connection to CRS: com.sun.scn.connmgt.SCNRegClientException: droot, Code: 4, Code: 4
ERROR : Connection cannot be registered.
Code--2
sc-console registration failed on [2].
sc-console : User authentication error.
Error executing step : sc_console
```
  If the system where you are installing the Agent Controller has multiple active network interfaces, you can use the -a option to specify the IP address of the interface that you want to use for Agent Controller registration. For example:
```
# /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.0 -a 10.0.0.1
(output omitted)
```
If you encountered a Connection cannot be registered error message from the agentadm command, use agentadm to unconfigure the Agent Controller. For example:
```
# /opt/SUNWxvmoc/bin/agentadm unconfigure
agentadm: Version 1.0.3 launched with args: unconfigure
verified sc_console command is OK
End of validation
{output omitted}
End of configuration.
```
After the Agent Controller has been unconfigured, correct the problem that was indicated by the error message, and re-run the agentadm configure command.

Use the sc-console command to list the Agent Controller connection. For example:

# sc-console list-connections
scn-Agent Controller https://10.0.0.0:21165 urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
#

3.2.1.3.2 Using a Token to Install and Configure an Agent Controller Manually

This procedure uses a token to configure your Agent Controller software.

On the Enterprise Controller, change to the /var/opt/sun/xvm/images/agent/ directory, and list the files that it contains. This directory contains the Agent Controller installation archives. For example:

# cd /var/opt/sun/xvm/images/agent/
# ls
OpsCenterAgent.Linux.i686.12.1.0.zip
OpsCenterAgent.Linux.i686.12.1.0.zip.sig
OpsCenterAgent.SunOS.i386.12.1.0.zip
OpsCenterAgent.SunOS.i386.12.1.0.zip.sig
OpsCenterAgent.SunOS.sparc.12.1.0.zip
OpsCenterAgent.SunOS.sparc.12.1.0.zip.sig
#

Identify the Agent Controller archive that is appropriate for the system where you intend to install the Agent Controller. See Table 3-1 for a description of the available packages.
On the system where you want to install the Agent Controller, create the following directory:
```
# mkdir /var/tmp/OC
```

# scp OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip root@10.0.0.0:/var/tmp/OC
Password:
OpsCenterAgent.S 100% |*********************************************************************| 187078 KB 00:32
#

On the target system, change to the /var/tmp/OC directory.
```
# cd /var/tmp/OC
#
```
Use the unzip command to uncompress the Agent Controller archive. For example:
```
# unzip OpsCenterAgent.SunOS.sparc.12.1.0.zip
(output omitted)
```

If you are installing the Agent Controller on Oracle Solaris 8-10, run the install -a script in the OpsCenterAgent directory. For example:

# OpsCenterAgent/install -a
Installing Ops Center Agent Controller.
No need to install 120900-04.
No need to install 121133-02.
No need to install 119254-63.
No need to install 119042-09.
No need to install 121901-02.
No need to install 137321-01.
Installed SUNWjdmk-runtime.
Installed SUNWjdmk-runtime-jmx.
(output omitted)
6 patches skipped.
19 packages installed.
Installation complete.
Detailed installation log is at /var/scn/install/log.
Uninstall using /var/scn/install/uninstall.
#

# OpsCenterAgent/install -p 10.0.0.1
#

On the Proxy Controller that will communicate with this Agent Controller instance, examine the /var/opt/sun/xvm/persistence/scn-proxy/connection.properties file. The last line in this file contains the auto-reg-token that is required for Agent Controller registration. For example:

# cat /var/opt/sun/xvm/persistence/scn-proxy/connection.properties
#Generated by a program. Do not edit. All manual changes subject to deletion.

(output omitted)

trust-store=/var/opt/sun/xvm/security/jsse/scn-proxy/truststore
auto-reg-token=abcdef12-1700-450d-b038-ece0f9482474\:1271743200000\:T
#

On the system where you have installed the Agent Controller software, create an empty file named /var/tmp/OC/mytoken, and set its permission mode to 400. For example:
```
# touch /var/tmp/OC/mytoken
# chmod 400 /var/tmp/OC/mytoken
```
Edit the /var/tmp/OC/mytoken file so that it contains the auto-reg-token string from Proxy Controller with the following changes:
- Remove the auto-reg-token=.
- Remove any backslash characters from the token string. For example:
```
abcdef12-1700-450d-b038-ece0f9482474:1271743200000:T
```

Use the agentadm command to associate the Agent Controller with a Proxy Controller.

Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure
Linux OS: use the /opt/sun/xvmoc/bin/agentadm configure

The example commands use the following options:
-t: specifies the absolute path name of the file that contains the registration token.
-x: specifies the IP address or host name of the Proxy Controller to which this Agent Controller will connect.

-a: specifies the IP address to use during Agent Controller registration. This selects the network interface that the Agent Controller will use for registration. Accept the server's certificate when prompted. For example:

# /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x 10.0.0.0
agentadm: Version 1.0.3 launched with args: configure -t /var/tmp/OC/mytoken -x 10.0.0.0
workaround configuration done.

Certificate:
Serial Number: 947973225
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_Agent Controller
Not valid before: Thu Jun 19 15:36:59 MDT 1969
Not valid after: Thu Apr 19 15:36:59 MDT 2029

Certificate:
Serial Number: 1176469424
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_ca
Not valid before: Thu Jun 19 15:36:56 MDT 1969
Not valid after: Thu Apr 19 15:36:56 MDT 2029

Accept server's certificate? (y|n)
y
Connection registered successfully.
scn-Agent Controller configuration done.
Checking if UCE Agent Controller process is still running, it may take a couple of minutes ...
Process is no longer running
UCE Agent Controller is stopped.
UCE Agent Controller is in [online] state.
Checking if UCE Agent Controller process is up and running ...
The process is up and running.
UCE Agent Controller is started.
Added the zone configuration automation successfully.
Added the service tags recreate script successfully.
#

If the system where you are installing the Agent Controller has multiple active network interfaces, you can use the -a option to specify the IP address of the interface that you want to use for Agent Controller registration. For example:

# /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x 10.0.0.0 -a 10.0.0.1
(output omitted)

If you encountered a Connection cannot be registered error message from the agentadm command, use agentadm to unconfigure the Agent Controller. For example:
```
# /opt/SUNWxvmoc/bin/agentadm unconfigure
agentadm: Version 1.0.3 launched with args: unconfigure
verified sc_console command is OK
End of validation

{output omitted}
End of configuration.
```
After the Agent Controller has been unconfigured, correct the problem that was indicated by the error message, and re-run the agentadm configure command.

Use the sc-console command to list the Agent Controller connection. For example:

# sc-console list-connections
scn-Agent Controller https://10.0.0.0:21165 urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
#

3.2.1.4 Changing Credentials of Managed Assets

The information is this section is also in the Oracle Enterprise Manager Ops Center Administration Guide.

3.2.1.4.1 Upgrading Management Credentials From a Previous Version

Assets that were discovered and managed in prior versions of Oracle Enterprise Manager Ops Center might not have management credentials associated with them. You can associate new or existing sets of credentials with these assets.

If a discovered asset is blacklisted, the same can be removed by updating the management credentials.

To upgrade management credentials, perform the following steps:

On the Navigation pane, select All Assets.
In the Actions pane, click Upgrade Management Credentials.
Select an asset category: operating systems; servers; or chassis, m-series, and switches.
Select one or more assets of that category.
- To assign an existing set of credentials, select Assign existing set and then select an existing set of credentials.
- To assign a new set of credentials, select Create and assign new set and then enter a protocol, name, and credential information.

3.2.1.4.2 Updating Management Credentials

You can change the set of management credentials used by an asset or group of assets.

To update management credentials, perform the following steps:

On the Navigation pane, select an asset or group.
In the Actions pane, click Update Management Credentials.
Click Select to select an existing set of credentials, or click New to create a new set.

3.2.1.4.3 Creating Management Credentials

You can create a new set of management credentials. These credentials can then be used to discover and manage new assets or to manage existing assets.

To create management credentials, perform the following steps:

On the Navigation pane, under Administration, select Credentials.
In the Actions pane, click Create Credentials.
Select a protocol, then enter a name for the set of credentials and the information required by the protocol.
Click Create to create the management credentials.

3.2.1.4.4 Editing Management Credentials

You can edit an existing set of management credentials to reflect changes to the managed assets.

To edit management credentials, perform the following steps:

On the Navigation pane, under Administration, select Credentials.
In the center pane, select a set of credentials and click the Edit Credentials icon.
Edit the description and the information required by the protocol, then click Update to save the changes.

3.2.1.4.5 Copying Management Credentials

You can copy an existing set of management credentials to create a new set.

To copy management credentials, perform the following steps:

On the Navigation pane, under Administration, select Credentials.
In the center pane, select a set of credentials and click the Copy Credentials icon.
Edit the name, description, and the information required by the protocol, then click Copy to save the new set of credentials.

3.2.1.4.6 Deleting Management Credentials

You can delete an existing set of management credentials. Discovery profiles that use the credentials might no longer function, and Agentless assets that are managed using the credentials must be given a new set.

To delete management credentials, perform the following steps:

On the Navigation pane, under Administration, select Credentials.
In the center pane, select a set of credentials and click the Delete Credentials icon.
Click OK to delete the credentials.

3.2.1.5 Creating a Credential Plan

As an alternative to using the Create Credential and Edit Credential actions, create and apply a plan that updates credentials.

Expand Plan Management in the Navigation pane.
Scroll down to the Credentials section and click it.
Click Create Credentials in the Action pane.
Click the drop-down list of protocols to select the type of protocol. Enter a name and description of the purpose of these credentials, for example, the type of asset they support.
Enter the credentials.
Click the Create button.

3.2.1.6 Applying the Credential Plan

To apply a credential plan to an asset:

Expand Plan Management in the Navigation pane.
Scroll down to the Credentials section and click a plan.

The window displays the assets that use these credentials and are affected by any change.
Click Apply.

3.2.2 Certificate Management

By default, Oracle Enterprise Manager Ops Centers uses self-signed certificates for authentication between the web container and the browser client. Oracle Enterprise Manager Ops Center does not provide certificates signed by a Certificate Authority such as Verisign because an Authority requires the name of the domain where the certificate will be used. The Oracle Enterprise Manager Ops Center software cannot be delivered with a generated signed certificate because the domain where the Web server of the Enterprise Controller runs is unknown until the customer installs the software. However, after installation, use the procedure in Substituting Certificates for the Glassfish Web Container to replace the self-signed certificate with a certificate from a Certificate Authority.

3.3 Configuring and Using Access Control

Access control allows a system to grant access to resources only in ways that are consistent with security policies defined for those resources.

3.3.1.1 Verifying Security of Session Cookies

Oracle Enterprise Manager Ops Center uses cookies to store session data for individual users. The cookies are encrypted using JSESSIONID and use the http-only flag to deny access to scripting languages.

The HTTP protocol includes the TRACE method to echo input. Because it is possible to use TRACE requests to view session cookies, Oracle Enterprise Manager Ops Center redirects HTTP transactions to HTTPS where the TRACE method is disabled. To confirm that TRACE is disabled, use the following command on the Enterprise Controller's system or a Proxy Controller's system:

# curl -v --insecure -X TRACE https://<hostname>:9443
(output omitted)
HTTP/1.1 405 TRACE method is not allowed

3.3.1.2 Setting the Expiration Time for Sessions

The browser controls a session's inactivity timer with a default time of 30 minutes. Consider changing the expiration time to a shorter duration, using the following procedure:

Click Setup in the title bar of the browser window.
Click My Preferences and then User Interface Preferences, as in Figure 3-4.

Figure 3-4 User Interface Preferences

Description of "Figure 3-4 User Interface Preferences"
In the Time Intervals section of the User Interface Preferences window, change the value in the Session Timeout field.

3.3.2 Removing Code Examples

The command-line interface includes code examples.If you consider these examples to be a security risk, remove them with the following procedure:

Log in as root user.
Issue the following command:
```
rm -rf /opt/SUNWoccli/doc/examples  
```

3.4 Configuring and Using Data Protection

Using an NFS Server
Backing Up and Restoring the Enterprise Controller

3.4.1 Using an NFS Server

NFS protocol requires agreement on the Domain Name System (DNS) that the NFS server and NFS clients use. The server and a client must agree on the identity of the authorized users accessing the share.

The Oracle Enterprise Manager Ops Center software prepares an NFS client to mount the share. Use the following procedure to prepare the NFS server on an Oracle Solaris 10. The same procedure is also supported in Oracle Solaris 11 system, or you can use a new procedure, described in Oracle Solaris Administration: ZFS File Systems.

Setting Up a Share on an NFS Server

Create the directory to share, and set its ownership and permission modes. For example:
```
# mkdir -p /export/lib/libX
# chmod 777 /export/lib/libX
```
Open the /etc/dfs/dfstab file on the NFS server.
Add an entry to share the directory. For example, to share the directory named /export/lib/libX, create the following entry:
```
share -F nfs -o rw,"Share 0" /export/lib/libX
```
If you want the NFS share to be accessible from other network domains, use the rw option to specify a list of allowed domains:
```
share -F nfs -o rw=IPaddress1,IPaddress2 "Share 0" export/lib/libX
```
Share the directory and then verify that the directory is shared. For example:
```
# shareall
# share
export/lib/libX   rw, "Share 0"
```
The share now allows a root user on the NFS clients to have write privileges.

3.4.2 Backing Up and Restoring the Enterprise Controller

The information is this section is also in the Oracle Enterprise Manager Ops Center Administration Guide.

Oracle Enterprise Manager Ops Center has several tools that can be used for disaster recovery. These tools let you preserve Oracle Enterprise Manager Ops Center data and functionality if the Enterprise Controller or Proxy Controller systems fail.

The ecadm backup and ecadm restore commands back up and restore the Enterprise Controller. They also back up and restore the colocated Proxy Controller unless otherwise specified.

The ecadm backup command creates a tar file that contains all of the Oracle Enterprise Manager Ops Center information stored by the Enterprise Controller, including asset data, administration data, job history, and the database password. You can specify the name and location of the backup file and the log file. The ecadm backup command does not back up software and storage library contents. Run the ecadm backup command regularly and save the backup file on a separate system.

If the Enterprise Controller system fails, you can use the ecadm restore command and the backup file to restore the Enterprise Controller to its previous state on the original system or on a new system. The new Enterprise Controller system must have the same version of Oracle Enterprise Manager Ops Center installed as was used when the backup was made. The ecadm restore command accepts the name of the backup file as input, and restores the Enterprise Controller to the state it had at the time of the backup. If the new Enterprise Controller system has a new IP address, you must manually update the Proxy Controllers to use the new IP address.

Some of the procedures described in this section use the ecadm and proxyadm commands. See the Oracle Enterprise Manager Ops Center Administration Guide for more information about these commands.

On Oracle Solaris systems, these commands are in the /opt/SUNWxvmoc/bin/ directory.
On Linux systems, these commands are in the /opt/sun/xvmoc/bin/ directory.

The following features and topics are covered in this chapter:

Backing Up an Enterprise Controller
Restoring an Enterprise Controller

3.4.2.1 Backing Up an Enterprise Controller

You can create a backup for the Enterprise Controller using the ecadm command with the backup subcommand.

Note:

The ecadm backup command does not back up the /var/opt/sun/xvm/images/os directory. This is because the size of some of the OS image files in this directory can be prohibitively large.

In addition to running the ecadm backup command, you should back up the /var/opt/sun/xvm/images/os directory and manually archive the files to another server, file-share facility, or a location outside of the /var/opt/sun directory.

To Back Up an Enterprise Controller

By default, the server data is saved in a backup file in the /var/tmp directory with a file name that includes a date and time stamp. You can define the file name and location during the backup, as shown in the example below.

If you are using an embedded database, the backup file includes the product schema from the embedded database. If you are using a customer-managed database, you can back up the database schema using the --remotedb option, or you can use the existing backup and recover processes implemented by your database administrator.

From the command line, log in to the Enterprise Controller system.
Use the ecadm command with the backup subcommand to back up the Enterprise Controller.

The following options may be used with the ecadm command:
- -o|--output <backup file>: Specify the file in which the backup archive is generated. Do not specify a path inside the /opt/*xvm* directories. The default output file is /var/tmp/sat-backup-<date>-<time>.tar.
- -c|--configdir <dir>: Specify an alternate backup configuration directory.
- -l|--logfile <logfile>: Save output from command in <logfile>. Log files are stored in the /var/opt/sun/xvm/logs/ directory.
- -d|--description <description string>: Embed the <description string> as the description of the backup archive.
- -r|--remotedb: If the Enterprise Controller uses a customer-managed database, export the database schema to a file in the /var/tmp/ocdumpdir directory on the database server. This does not perform a full database backup, which the database administrator should perform separately.
- -t|--tag <tag>: Embed <tag> as a single-word tag in the backup archive
- -T|--tempdir <dir>: Specify the temporary staging directory location.
- -v|--verbose: Increase verbosity level (may be repeated)
For example:
```
ecadm backup -o /var/backup/EC-17December.tar
ecadm: using logFile = /var/opt/sun/xvm/logs/sat-backup-2012-12-17-16:21:12.log
ecadm: *** PreBackup Phase
ecadm: *** Backup Phase
ecadm: *** PostBackup Phase
ecadm: *** Backup complete
ecadm: *** Output in /var/backup/EC-12December.tar
ecadm: *** Log in /var/opt/sun/xvm/logs/sat-backup-2012-12-17-16:21:12.log
```
Save the contents of the most recent upgrade installation directory. This directory is a child of the /var/opt/sun/xvm/update-saved-state/ directory, and is named according to the version number.
Copy the backup file to a separate system.

3.4.2.2 Restoring an Enterprise Controller

You can use a backup file to restore the state of the Enterprise Controller to the state it had at the time of the backup.

To Restore an Enterprise Controller

This procedure restores the data from the backup file, which is the archive created by the ecadm backup operation.

If you are using an embedded database, the restore process restores the product schema from the embedded database. If you are using a customer-managed database, you can use the --remotedb optionto restore the product schema on the customer-managed database, or leave this option off to make no changes to the database.

Prepare the Enterprise Controller system.
- If you are restoring the backup on a new system, then the host name and Enterprise Controller software version of the restored system must match those of the backed up system.
- If you are restoring the backup on the same system, but the software has become corrupt or an upgrade failed, uninstall the Enterprise Controller software.
  
  Run the install script with the -e and -k options. The -e option uninstalls the Enterprise Controller and co-located Proxy Controller, and the -k option preserves the Oracle Configuration Manager software. For example:
```
# cd /var/tmp/OC/xvmoc_full_bundle
# install -e -k
```
- If you are restoring the backup on the same system, and the software is functioning normally, unconfigure the Enterprise Controller.
Install the Enterprise Controller if it has not been installed, but do not configure the Enterprise Controller, as the ecadm restore command restores your configuration settings.
- Oracle Solaris OS: See the Oracle Enterprise Manager Ops Center Installation Guide for Oracle Solaris Operating System.
- Linux OS: See the Oracle Enterprise Manager Ops Center Installation Guide for Linux Operating Systems.
Upgrade the Enterprise Controller to the same version that was running when the backup was made, if it is not already running that version. Perform this upgrade from the command line.
Run the ecadm command with the restore subcommand and the -i <backup directory location and file name> flag.

The following options may be used with the ecadm command:
- -i|--input <backup file>: (Required) Specify the location of the backup file.
- -c|--configdir <dir>: Specify an alternate restore configuration directory.
- -l|--logfile <logfile>: Save output from command in <logfile>. Log files are stored in the /var/opt/sun/xvm/logs/ directory.
- -r|--remotedb: If the Enterprise Controller uses a customer-managed database, this option restores the product schema on that database. If you are restoring on a new database system, copy the .dmp file from the /var/tmp/ocdumpdir directory that corresponds with your backup file to the new system and verify that it is owned by the oracle user on the new system.
- -e|--echa: If the Enterprise Controller is configured in HA mode, this option indicates that the colocated Proxy Controller should not be restored.
- -T|--tempdir <dir>: Specify the temporary staging directory location.
- -v|--verbose: Increase verbosity level (may be repeated)
For example:
```
ecadm restore -i /var/backup/EC-17December.tar
ecadm: using logFile = /var/opt/sun/xvm/logs/sat-restore-2012-12-17-21:37:22.log
ecadm: *** PreRestore Phase
ecadm: *** Restore Phase
ecadm: *** PostRestore Phase
ecadm: *** Log in /var/opt/sun/xvm/logs/sat-restore-2012-12-17-21:37:22.log
```
For an Enterprise Controller with a co-located Proxy Controller, check the Proxy Controller's status using the proxyadm command with the status subcommand. If the Proxy Controller is stopped, restart it using the proxyadm command with the start subcommand and the -w option.
```
# proxyadm status
offline
# proxyadm start -w
proxyadm: Starting Proxy Controller with SMF...
proxyadm: Proxy Controller services have started
#
```

Note:

After restoring the Enterprise Controller, the asset details might take several minutes to display completely in the user interface.

Example: Restoring an Enterprise Controller With an Embedded Database

In this example, the ecadm restore command includes options to set the restore in verbose mode (-v), and to create a restore log (-l) for debugging purposes. The input (-i) option specifies the backup file location.

# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/EC-17December.tar -l logfile-restore-15January.log

Example: Restoring an Enterprise Controller With a Customer-Managed Database

In this example, the ecadm restore command includes the (-r) option to restore the database schema on a customer-managed database. The input (-i) option specifies the backup file location.

# /opt/SUNWxvmoc/bin/ecadm restore -i /var/tmp/OC/server1/EC-17December.tar -r

Example: Restoring an Enterprise Controller With a Customer-Managed Database Without Restoring the Database Schema

# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/EC-17December.tar -l logfile-restore-15January.log