As part of the target type definition, you can define the types of credentials specific to the plug-in target type. For example, you can define the username and password required by the plug-in to connect to a target instance to collect metric data, or to invoke a specific Enterprise Manager job.
The Enterprise Manager credential subsystem enables Enterprise Manager administrators to store credentials in a secure manner as preferences or operation credentials. The credentials can then be used to perform various system management activities such as real-time monitoring, patching, provisioning, and other target administrative operations.
In this release, the credential subsystem supports storing, accessing, and modifying of fixed number user name/password based credentials as preferred credentials, which other Enterprise Manager subsystems access to build automation solutions. The credential subsystem also supports sudo/powerbroker based impersonation support.
This chapter covers the following:
The following sections describe the concepts associated with credential service integration:
Credential type is the type of authentication supported by a target type. Various authentication schemes are supported, including native agent authentication and SSH. Fore more information, see Section 16.1.1, "Understanding Credential Types".
A named credential contains a users' authentication information on a system and can be a user name and password, a public key-private key pair, or an X509v3 certificate. For more information, see Section 16.1.2, "About Named Credentials".
An authenticating target type is the target type that a credential can authenticate against. For more information, see Section 16.1.3, "Authenticating Target Types".
A credential set is a placeholder for a credential and can be used to decouple credentials from the system that uses a credential. For more information, see Section 16.1.4, "Overview of Credential Sets"
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. For more information, see Section 16.1.5, "Using the Credential Store"
The credential reference refers to a credential. For more information, see Section 16.1.6, "About the Credential Reference"
Credential type is the type of authentication supported by a target type. For example, a host can support a user name and password based authentication, public key authentication, or kerberos authentication. Various authentication schemes are supported, including native agent authentication and SSH.
The native agent authentication scheme employs a user name and password structure, while the SSH key authentication scheme uses a user name/private key/public key structure.
A named credential contains a users' authentication information on a system. A named credential can be a user name and password, a public key-private key pair, or an X509v3 certificate. An Enterprise Manager administrator can store these credentials as named entities in Enterprise Manager to use when performing operations such as running jobs, patching, and other system management tasks. For example, you can store the user name and password that you want to use for patching as
MyPatchingCreds. You can then later submit a patching job that uses
MyPatchingCreds to patch the production databases.
Named credentials can be created for the credential types in Enterprise Manager 12c. The most commonly used credential types for host and database target types are described in the following sections.
For more information about named credentials, see the "Configuring and Using Target Credentials" section in the Oracle Enterprise Manager Cloud Control Security Guide.
The authenticating target type is the target type that a credential can authenticate against. For example, a SQLScript job has the host credential
DBHostCreds that is used to authenticate against the database host. Therefore, the target type for
DBHostCreds is Database Instance and the authenticating target type is Host.
A credential set is a placeholder for a credential. Credential sets can be used to decouple credentials from a system that uses a credential. For example, a patching job can be submitted to use the credential set "Normal Host Credentials" while being executed.
The "Normal Host Credentials" credential set can also be set to the actual named credential. The credential set to named credential mapping for the target can be changed without editing the system that uses the credential.
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. The Enterprise Manager administrator's user name has a logical private credential store. Individual credentials can be identified by credential names. Enterprise Manager administrators can add, edit, and delete named credentials in the credential store.
The credential reference is a way to refer to a credential. There are three ways credentials can be referenced:
The credential is referenced using the name of the credential in the credential store.
The credential is referenced using the credential set name and the target name. The lookup retrieves the credential associated with the credential set name and target name.
The credential is specified by providing the values of the attributes. This reference does not refer to a credential in the credential store.
Credential metadata is defined within the target type metadata file. See Chapter 3, "Creating Target Metadata Files" for more information about this file.
All credential metadata for a target type is defined within the
CredentialInfo element. This element in turn contains the following subelements:
CredentialType element that defines the type of credentials to be used to access target instances
CredentialSet element that instantiates an instance of CredentialType
The following example defines username and password the credentials required to authenticate with hosts running instances of the target.
Example: Credential Metadata
<TargetMetadata> ... <CredentialInfo> <!-- The types of credentials: target host username/password --> <CredentialType NAME="HostCreds"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS">Host Credentials</Label> </Display> <CredentialTypeColumn NAME="HostUserName" IS_KEY="TRUE"> <Display> <Label NLSID="CREDS_HOST_USERNAME">UserName</Label> </Display> </CredentialTypeColumn> <CredentialTypeColumn NAME="HostPassword"> <Display> <Label NLSID="CREDS_HOST_Password">Password</Label> </Display> </CredentialTypeColumn> </CredentialType> <!-- The CredentialSet that creates an instance of CredentialType --> <CredentialSet NAME="HostCredsNormal" CREDENTIAL_TYPE="HostCreds" USAGE="PREFERRED_CRED"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS_NORMAL">Normal Host Credentials</Label> </Display> <CredentialSetColumn TYPE_COLUMN="HostUserName" SET_COLUMN="username"> <Display> <Label NLSID="CREDS_NORMAL_USER">Normal Username</Label> </Display> </CredentialSetColumn> <CredentialSetColumn TYPE_COLUMN="HostPassword" SET_COLUMN="password"> <Display> <Label NLSID="CREDS_NORMAL_PASSWORD">Normal Password</Label> </Display> </CredentialSetColumn> </CredentialSet> <CredentialInfo> ... </TargetMetadata>
The key elements that define credentials are described in the following table:
The root element for the credentials definition. Contains
Contains one or more
Instatiates an instance of the credential set defined in
A subelement of CredentialType. Defines a single credential and maps that credential to its corresponding column in the CredentialType. It includes the following attributes: