Go to main content
1/20
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Security Overview
1.1
Security Threats
1.2
Security Principles
1.2.1
Separation of Duties and Principle of Least Privilege
1.2.2
Encryption
1.2.3
Monitoring for Suspicious Activity (Auditing)
1.2.4
Non-repudiation
2
Security Features
2.1
Configuring Authentication
2.1.1
Supported Authentication Schemes
2.1.2
Creating a New Administrator
2.1.2.1
Repository Based Authentication
2.1.2.1.1
Creating a New User (Command Line)
2.1.2.2
Restoring to the Default Authentication Method
2.1.2.2.1
Bypassing the Single Sign-On Logon Page
2.1.2.2.2
Restoring the Default Authentication Method
2.1.3
Deleting an Administrator
2.1.4
Enterprise User Security Based Authentication
2.1.4.1
Registering Enterprise Users (EUS Users) as Enterprise Manager Users
2.1.4.1.1
Registering Enterprise Users Using the Enterprise Manager Console
2.1.4.1.2
Registering Enterprise Users Using the Command Line Interface
2.1.5
Oracle Internet Directory (OID)
2.1.5.1
Prerequisites
2.1.5.2
Testing the OID Configuration
2.1.6
Microsoft Active Directory Based Authentication
2.1.6.1
Testing the Microsoft Active Directory Configuration
2.1.7
External Authorization using External Roles
2.1.7.1
Auto Provisioning
2.1.7.2
Using a Different Name to the External Users Display Name
2.1.7.2.1
Updating the Oracle Virtual Directory with User Name Changes
2.1.8
Mapping LDAP User Attributes to Enterprise Manager User Attributes
2.1.9
Changing User Display Names in Enterprise Manager
2.1.10
Configuring Other LDAP/SSO Providers
2.1.10.1
Configuring Single Sign-on based Authentication
2.1.10.1.1
Configuring Single-Sign-on with Oracle Access Manager 10g
2.1.10.1.2
Configuring Single-Sign-on with Oracle AS SSO 10g
2.1.11
Configuring Enterprise User Security based Authentication
2.1.12
Restoring to the Default Authentication Method
2.1.12.1
Bypassing the Single Sign-On Logon Page
2.1.12.2
Restoring the Default Authentication Method
2.2
Configuring Privileges and Role Authorization
2.2.1
Understanding Users, Privileges, and Roles
2.2.1.1
Classes of Users
2.2.1.2
Reassigning Objects
2.2.1.3
Aggregate Target Privileges
2.2.2
Privileges and Roles
2.2.2.1
Administrators and Database Privileges
2.2.2.2
Granting Privileges
2.2.2.3
Fine-grained Access Control
2.2.2.4
Creating Roles
2.2.2.5
Private Roles
2.2.2.6
Using Roles to Manage Privileges
2.2.3
Managing Privileges with Privilege Propagating Groups
2.2.3.1
Example1: Granting various teams different levels of access to target groups
2.2.3.2
Example 2: Granting developers view access to target database instances.
2.2.3.3
Entitlement Summary
2.3
Configuring Secure Communication
2.3.1
About Secure Communication
2.3.2
Enabling Security for the Oracle Management Service
2.3.2.1
Configuring the OMS with Server Load Balancer
2.3.2.1.1
Removing a Server Load Balancer Configuration
2.3.2.2
Creating a New Certificate Authority
2.3.2.2.1
Administration Credentials Wallet
2.3.2.3
Viewing the Security Status and OMS Port Information
2.3.2.4
Configuring Transport Layer Security
2.3.3
Securing the Oracle Management Agent
2.3.4
Managing Agent Registration Passwords
2.3.4.1
Using the Cloud Control Console to Manage Agent Registration Passwords
2.3.4.2
Using emctl to Add a New Agent Registration Password
2.3.5
Restricting HTTP Access to the Management Service
2.3.6
Enabling Security for the Management Repository Database
2.3.6.1
About Oracle Advanced Security and the sqlnet.ora Configuration File
2.3.6.2
Configuring the Management Service to Connect to a Secure Management Repository Database
2.3.6.3
Enabling Oracle Advanced Security for the Management Repository
2.3.6.4
Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
2.3.7
Custom Configurations
2.3.7.1
Configuring Custom Certificates for WebLogic Server
2.3.7.1.1
Create a Java KeyStore or Wallet for each OMS
2.3.7.1.2
Import Custom CA Certificates into the Agents Monitoring Trust Store
2.3.7.1.3
Configure the Custom Certificate for each WLS
2.3.7.1.4
Rolling back the WebLogic Servers to Demonstration Certificate
2.3.7.2
Configuring Custom Certificates for OMS Console Access
2.3.7.3
Configuring Custom Certificates for OMS Upload Access
2.3.8
Secure Communication Setup Tools
2.3.8.1
emctl secure oms
2.3.8.2
emctl secure agent
2.3.8.3
emctl secure wls
2.3.8.4
emctl status oms -details
2.3.9
Configuring Third Party Certificates
2.3.9.1
Configuring a Third Party Certificate for HTTPS Console Users
2.3.9.2
Configuring Third Party Certificate for HTTPS Upload Virtual Host
2.4
Configuring and Using Target Credentials
2.4.1
Credential Subsystem
2.4.1.1
Named Credential
s
2.4.1.1.1
Typical Scenarios for Using Named Credentials
2.4.1.1.2
Access Control
2.4.1.1.3
Creating Named Credentials
2.4.1.1.4
Access Control for Named Credentials
2.4.1.1.5
Authentication Scheme
2.4.1.2
Privileged Credentials
2.4.1.2.1
Creating Privileged Credentials
2.4.1.3
Monitoring Credentials
2.4.1.4
Preferred Credentials
2.4.1.4.1
Global Preferred Credentials
2.4.1.5
Saving Preferred Credentials for Hosts and Oracle Homes
2.4.1.6
Saving Preferred Credentials to Access My Oracle Support
2.4.1.7
Managing Credentials Using EM CLI
2.4.1.8
Host Authentication Features
2.4.1.8.1
Setting Up SSH Key-based Host Authentication
2.4.1.8.2
Setup Example Session
2.4.1.8.3
Setting Up Host Preferred Credentials Using SSH Key Credentials
2.4.1.8.4
Setting Up Host Preferred Credentials Using SSH Key Credentials (pre-12.1.0.4)
2.4.1.8.5
Authenticating host credentials
2.4.1.8.6
Configuring the PAM "emagent" Service
2.4.1.8.7
Sudo and PowerBroker Support
2.4.1.8.8
Creating a Privilege Delegation Setting
2.5
Configuring and Using Cryptograhic Keys
2.5.1
Configuring the emkey
2.5.2
emctl Commands
2.5.2.1
emctl status emkey
2.5.2.2
emctl config emkey -copy_to_credstore
2.5.2.3
emctl config emkey -copy_to_file_from_credstore
2.5.2.4
emctl config emkey -copy_to_file_from_repos
2.5.2.5
emctl config emkey -copy_to_credstore_from_file
2.5.2.6
emctl config emkey -copy_to_repos_from_file
2.5.2.7
emctl config emkey -remove_from_repos
2.5.3
Install and Upgrade Scenarios
2.5.3.1
Installing the Management Repository
2.5.3.2
Installing the First Oracle Management Service
2.5.3.3
Upgrading from 10.2 or 11.1 to 12.1
2.5.3.4
Recreating the Management Repository
2.6
Configuring and Managing Audit
2.6.1
Auditing Credentials
2.6.2
Default Audit Actions
2.6.3
Configuring the Enterprise Manager Audit System
2.6.4
Configuring the Audit Data Export Service
2.6.5
Updating the Audit Settings
2.6.6
Searching the Audit Data
2.6.7
List of Operations Audited
2.6.8
Auditing the Infrastructure
2.6.8.1
WebLogic Server Auditable Events
2.7
Additional Security Considerations
2.7.1
Changing the SYSMAN and MGMT_VIEW Passwords
2.7.1.1
Changing the SYSMAN User Password
2.7.1.1.1
If the current SYSMAN password is known
2.7.1.1.2
If the current SYSMAN password is unknown
2.7.1.2
Changing the MGMT_VIEW User Password
2.7.2
Responding to Browser-Specific Security Certificate Alerts
2.7.2.1
Third Party Certificate Workflow
2.7.2.2
Responding to the Internet Explorer Security Alert Dialog Box
2.7.2.3
Responding to the Mozilla Firefox New Site Certificate Dialog Box
2.7.2.4
Responding to the Google Chrome Security Alert Dialog Box
2.7.2.5
Responding to Safari Security Dialog Box
3
Keeping Enterprise Manager Secure
3.1
Guidelines for Secure Infrastructure and Installations
3.1.1
Secure the Infrastructure and Operating System
3.1.1.1
Best Practices for Securing the Infrastructure and Operating System
3.1.2
Securing the Oracle Management Repository
3.1.2.1
Enable Advanced Security Option
3.1.2.1.1
Restrict Network Access
3.1.2.1.2
Audit SYS actions
3.1.2.1.3
Securing User Accounts
3.1.2.1.4
Secure and Backup the Encryption Key
3.1.3
Securing the Oracle Management Agent
3.1.4
Secure Communication
3.1.4.1
Best Practices for Securing the Oracle Management Agent
3.1.4.2
Enable ICMP
3.1.4.3
Configure Oracle Management Agent for Firewalls
3.1.4.4
Configure Oracle Management Service for Firewalls
3.1.5
Security Console
3.1.5.1
Overview
3.1.5.2
Pluggable Authentication
3.1.5.2.1
Pluggable Authentication Overview
3.1.5.2.2
Pluggable Authentication Configuration
3.1.5.3
Fine-grained Access Control
3.1.5.3.1
Overview
3.1.5.3.2
Classes of Users
3.1.5.3.3
Fine-grained Access Control Administrators
3.1.5.3.4
Fine-grained Access Control Privileges
3.1.5.3.5
Fine-grained Access Control Roles
3.1.5.3.6
Fine-grained Access Control Privilege Propagation in Aggregates
3.1.5.4
Secure Communication
3.1.5.4.1
Secure Communication Overview
3.1.5.4.2
Database Encryption Configuration
3.1.5.5
Credentials Management
3.1.5.6
Comprehensive Auditing
3.1.5.7
Active User Session Count
3.1.5.8
Best Practices Analysis
3.2
Guidelines for SSL Communication
3.2.1
Ensure TLSv1.2 Protocol is Enabled
3.2.2
Leave Communication in Secure-Lock Mode
3.2.2.1
Secure and Lock the OMS and Agents
3.2.3
Modify Cipher Configuration if Required
3.2.3.1
Third Party Certificates
3.2.3.2
Oracle Wallets
3.2.3.2.1
Creating an Oracle Wallet
3.2.4
Best Practices for Securing Communication
3.3
Guidelines for Authentication
3.3.1
Enable External Authentication
3.3.1.1
Best Practices for Authentication
3.4
Guidelines for Authorization
3.4.1
Best Practices for Privilege and Role Management
3.4.2
Use Principle of Least Privileges for Defining Roles/Privileges
3.4.3
Use Privilege Propagation Groups
3.4.3.1
Best Practices for Groups and Systems
3.5
Guidelines for Auditing
3.5.1
Best Practices for Auditing
3.6
Guidelines for Managing Target Credentials
3.6.1
Best Practices for Credentials
4
Security Best Practices for Database Management in Enterprise Manager
4.1
Flexible Database Access Control
4.1.1
Database Management Roles and Responsibilities
4.1.2
Application DBA Access
4.1.2.1
Creating an Application DBA Account
4.1.2.2
Creating Named Credentials
4.1.3
Application Developer Access
4.1.3.1
Granting Application Developer Access on the Database
4.1.3.2
Granting Application Developer Access to the Database Named Credentials
4.1.4
Database Monitoring User Access
4.1.4.1
Granting View Database Performance Access on the Database
4.1.4.2
Sharing credentials with the Database Monitoring User
4.1.5
Database Administrator Access
4.1.5.1
Creating a Database Administrator Account
4.1.5.2
Creating Named Credentials
4.1.5.3
Granting Privileges Through Roles and Privilege Propagating Groups
4.1.6
Privilege Groups
4.1.6.1
Database Application DBA
4.1.6.2
Database Application Developer
4.1.6.3
Manage Database High Availability Privilege Group
4.1.6.4
View Database High Availability Privilege Group
4.1.6.5
Manage Database Performance Privilege Group
4.1.6.6
View Database Performance Privilege Group
4.1.6.7
Manage Database Schema Privilege Group
4.1.6.8
View Database Schema Privilege Group
4.1.6.9
Manage Database Security Privilege Group
4.1.6.10
View Database Security Privilege Group
4.1.6.11
Manage Database Storage Privilege Group
4.2
Secured Communication (TCPS) Access to Databases
4.2.1
Configuring TCPS
4.2.2
Configuring Third Party CA Certificates for Communication With Target Databases
4.3
Account Management
5
Troubleshooting
5.1
Troubleshooting Authentication Issues in Enterprise Manager
5.1.1
Enabling the WebLogic Debug Flag
5.1.2
Debugging errors in ldap_trace.logATN file
5.1.3
Invalid Credentials
5.1.4
Timeout in LDAP Server'
5.1.5
Errors Outside ldap_trace.logATN'
6
References
A.1
Out-of-Box Roles
A.2
User Access to Database Targets without SYSDBA Privileges
A.2.1
Creating an Administrator
A.2.2
Users Requiring Access to the Database Performance Page
A.2.3
User Requiring Accessing AWR/ADDM
A.2.4
User Requiring Access to SQL Access Advisor
A.2.5
User Requiring Access to SQL Tuning Advisor
B.1
Privileges
C.1
Audit Operations
D.1
Configuring TLSv1.2 for Communication with the Enterprise Manager Repository
Index
Scripting on this page enhances content navigation, but does not change the content in any way.