| Oracle® Enterprise Manager Administration 10g Release 5 (10.2.0.5) E14586-02 |
|
 Previous |
 Next |
| Oracle® Enterprise Manager Administration 10g Release 5 (10.2.0.5) E14586-02 |
|
Previous |
Next |
This chapter describes how to configure Oracle Enterprise Manager Security. Specifically, this chapter contains the following sections:
Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. The goals of Oracle Enterprise Manager security are:
To be sure that only users with the proper privileges have access to critical monitoring and administrative data.
This goal is met by requiring username and password credentials before users can access the Enterprise Manager consoles and appropriate privileges for accessing the critical data. This includes access to the Oracle Enterprise Manager 10g Grid Control Console and the Oracle Enterprise Manager 10g Application Server Control Console.
To be sure that all data transferred between Enterprise Manager components is transferred in a secure manner and that all data gathered by each Oracle Management Agent can be transferred only to the Oracle Management Service for which the Management Agent is configured.
This goal is met by enabling Enterprise Manager Framework Security. Enterprise Manager Framework Security automates the process of securing the Enterprise Manager components installed and configured on your network.
To be sure that sensitive data such as credentials used to access target servers are protected.
This goal is met by Enterprise Manager's encryption support. The sensitive data is encrypted with an emkey. By following the best practice, even the repository owner and the SYSDBA will not be able to access the sensitive data.
Grid Control Authentication is the process of determining the validity of the user accessing Enterprise Manager Grid Control. The authentication feature is available across the different user interfaces such as Enterprise Manager Grid Control console and Enterprise Manager Command Line Interface.
The following authentication schemes are available:
Repository-Based Authentication: This is the default authentication option. An Enterprise Manager administrator is also a repository (database) user. By using this option, you can take advantage of all the benefits that this authentication method provides like password control via password profile, enforced password complexity, password life time, number of failed attempts allowed and controls. During the password grace period, the administrator is prompted to change the password but when the password has expired, it must be changed.
SSO-Based Authentication: The single sign-on based authentication provides strengthened and centralized user identity management across the enterprise. After you have configured Enterprise Manager to use the Oracle Application Server Single Sign-On Control as described in the Advanced Configuration Guide, you can register any single sign-on user as an administrator. You can then enter your single sign-on credentials to access the Oracle Enterprise Manager Grid Control console.
Enterprise User Security Based Authentication: The Enterprise User Security (EUS) option enables you to create and store enterprise users and roles for the Oracle database in an LDAP-compliant directory server. Once the repository is configured with EUS, you can configure Enterprise Manager to use EUS as its authentication mechanism as described in Advance Configuration Guide. You can register any EUS user as an Enterprise Manager administrator.
EUS helps centralize the administration of users and roles across multiple databases. If the managed databases are configured with EUS, the process of logging into these databases is simplified. When you drill down to a managed database, Enterprise Manager will attempt to connect to the database using Enterprise User Security. If successful, Enterprise Manager will directly connect you to the database without displaying a login page.
You can create and manage Enterprise Manager administrator accounts. Each administrator account includes its own login credentials, as well as a set of roles and privileges that are assigned to the account. There are three administrator access categories:
Super Administrator: Powerful Enterprise Manager administrator with full access privileges to all targets and administrator accounts within the Enterprise Manager environment. The Super Administrator, SYSMAN is created by default when Enterprise Manager is installed. The Super Administrator can create other administrator accounts.
Administrator: Regular Enterprise Manager administrator.
Repository Owner: Database administrator for the Management Repository. This account cannot be modified, duplicated, or deleted.
The types of management tasks that the administrator can perform and targets that he can access depends on the roles, system privileges, and target privileges that he is granted. The Super Administrator can choose to let certain administrators perform only certain management tasks, or access only certain targets, or perform certain management tasks on certain targets. In this way, the Super Administrator can divide the workload among his administrators. To create, edit, or view an administrator:
Click Setup at the top of any Grid Control Console page.
Click Administrators. The Administrators page is displayed.
Click the appropriate task button on the Administrators page.
Enterprise Manager displays a wizard page for the task you have chosen. Click Help from the wizard page for more information on administrators.
|
Note: The interface for user creation may vary depending on the authentication scheme you have selected. |
System security is a major concern of any corporation. Giving the same level of access to all systems to all administrators is dangerous, but individually granting access to tens, hundreds, or even thousands of targets to every new member of the group is time consuming. With Enterprise Manager's administrator privileges and roles feature, this task can be performed within seconds, instead of hours. Authorization controls the access to the secure resources managed by Enterprise Manager via system,target and object level privileges and roles
This section describes Enterprise Manager's Authorization model including user classes, roles, and privileges assigned to each user class. The following topics are described:
Privileges and Roles
Setting Privileges
Authorization and Access Enforcement
User privileges provide a basic level of security in Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.
When Enterprise Manager is installed, the SYSMAN user (super administrator) is created by default. The SYSMAN Super Administrator then creates other administrator accounts for daily administration work. The SYSMAN account should only be used to perform infrequent system wide, global configuration tasks.The Super Administrator divides workload among his administrators by filtering target access, or filtering access to management task, or both through the roles, System Privileges, and Target Privileges he grants them. For example, he can allow some administrators to view any target and to add any target in the enterprise and other administrators to only perform specific operations such as maintaining and cloning on a target for which they are responsible.
A role is a collection of Enterprise Manager system privileges, or target privileges, or both, which you can grant to administrators or to other roles. These roles can be based upon geographic location (for example, a role for Canadian administrators to manage Canadian systems), line of business (for example, a role for administrators of the human resource systems or the sales systems), or any other model. Administrators do not want to perform the task of individually granting access to tens, hundreds, or even thousands of targets to every new member of their group.By creating roles, an administrator needs only to assign the role that includes all the appropriate privileges to his team members instead of having to grant many individual privileges. He can divide workload among his administrators by filtering target access, or filtering access to management task, or both.
Public Role: Enterprise Manager creates one role by default called Public. This role is unique in that it is automatically assigned to all new non-super administrators when they are created. By default it has no privileges assigned to it. The Public role should be used to define default privileges you expect to assign to a majority of non-super administrators you create. Privileges need not be assigned to Public initially - they can be added at any time. The role may be deleted if your enterprise does not wish to use it. If deleted, it can be added back in later if you later decide to implement it.
A privilege is a right to perform management actions within Enterprise Manager. Privileges can be divided into three categories:
System Privileges
Target Privileges
Object Privileges
System Privileges: These privileges allow a user to perform system wide operations and are listed below:
Table 4-1 System Privileges
| System Privilege | Description |
|---|---|
|
VIEW ANY TARGET |
Allows the administrator to view any target on the system, including Oracle Management Agents and Management Services.Whenever the |
|
ADD ANY TARGET |
Allows the administrator to add any target to Enterprise Manager for monitoring, administration and management. |
|
USE ANY BEACON |
Allows the administrator to use any Beacon on any monitored host to monitor transactions, URLs, and network components. |
|
GRANT ANY REPORT VIEWER |
Allows the administrator to grant both regular Enterprise Manager administrators and non-administrators the ability to view reports from the Enterprise Manager Reports website or from the Reports tab. Administrators with this system privilege will be able to use the "Allow viewing without logging in to Enterprise Manager" option when defining a report definition. |
|
MONITOR ENTERPRISE MANAGER |
Allows the administrator to monitor the availability and performance of Enterprise Manager itself, and grants the administrator access to the following targets: the database used for the Management Repository, the Management Service and Management Repository, and all Oracle Management Agents in the global enterprise. |
Target Privileges: These privileges allow an administrator to perform operations on a target.
Table 4-2 Target Privileges
| Target Privilege | Description |
|---|---|
|
VIEW |
Allows the administrator to view properties, inventory and monitor information about a target. The View privilege is propagated to all members of aggregate targets such as groups and systems. |
|
OPERATOR |
Allows the administrator to perform Startup, Shutdown, and Edit operations on a target. |
|
FULL |
Implicitly grants all the target privileges and allows the administrator to |
|
BLACKOUT TARGET |
Allows the administrator to create, edit, schedule, and stop blackout on a target. |
|
MANAGE TARGET METRICS |
Allows the administrator to edit thresholds for metric and policy settings, apply monitoring templates and manage user defined metrics. |
|
CONFIGURE TARGET |
Allows the administrator to edit target properties and modify monitoring configurations. |
|
MANAGE TARGET ALERTS |
Allows the administrator to clear stateless alerts, manually re-evaluate alerts and acknowledge alerts for the target. |
Object Privileges: These privileges allow an administrator to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects.
Table 4-3 Target Privileges
| Target Privilege | Description |
|---|---|
|
VIEW JOB |
Allows the administrator to view properties, inventory and monitor information about a target. The View privilege is propagated to all members of aggregate targets such as groups and systems. |
|
FULL |
Implicitly grants all the target privileges and allows the administrator to |
|
VIEW CONFIGURE STANDARD |
|
|
PUBLISH REPORT |
|
|
VIEW REPORT |
This section contains the following topics:
Enterprise Manager Framework Security provides safe and secure communication channels between the components of Enterprise Manager. For example, Framework Security provides secure connections between your Oracle Management Service and its Management Agents.
Enterprise Manager Framework Security works in concert with—but does not replace—the security features you should enable for your Oracle HTTP Server. Oracle HTTP Server is part of the Oracle Application Server instance that is used to deploy the Management Service J2EE Web application.
Figure 4-2 shows how Enterprise Manager Framework Security provides security for the connections between the Enterprise Manager components.
Enterprise Manager Framework Security implements the following types of secure connections between the Enterprise Manager components:
HTTPS and Public Key Infrastructure (PKI) components, including signed digital certificates, for communications between the Management Service and the Management Agents.
|
See Also: Oracle Security Overview for an overview of Public Key Infrastructure features, such as digital certificates and public keys |
Oracle Advanced Security for communications between the Management Service and the Management Repository.
To enable Enterprise Manager Framework Security, you must configure each of the Enterprise Manager components in a specific order. The following list outlines the process for securing the Management Service and the Management Agents that upload data to the Management Service:
|
Note: The Enterprise Manager components are configured during installation. You can use the following commands if you want to reconfigure any of the components. |
Use the opmnctl stopall command to stop the Management Service, the Oracle HTTP Server, and the other components of the Oracle Application Server that are used to deploy the Management Service.
Use emctl secure oms to enable security for the Management Service.
Restart the Management Service, the Oracle HTTP Server, OracleAS Web Cache, and the other application server components using the opmnctl startall command.
For each Management Agent, stop the Management Agent, use the emctl secure agent command to enable security for the Management Agent, and restart the Management Agent.
After security is enabled for all the Management Agents, use the emctl secure lock command to restrict HTTP Access to the Management Service. This will ensure that Management Agents for which security has not been enabled will not be able upload data to the Management Service.
The following sections describe how to perform each of these steps in more detail.
|
Note: To resolve errors fromemctl secure operations, refer to $ORACLE_HOME/sysman/log/secure.log for more details. |
To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms utility, which is located in the following subdirectory of the Management Service home directory:
$ORACLE_HOME/bin
The emctl secure oms utility performs the following actions:
Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Agents.
Modifies your Oracle HTTP Server to enable an HTTPS channel between your Management Service and Management Agents, independent from any existing HTTPS configuration that may be present in your Oracle HTTP Server.
Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.
To run the emctl secure oms utility you must first choose an Agent Registration Password. The Agent Registration password is used to validate that future installation sessions of Oracle Management Agents and Oracle Management Services are authorized to load their data into this Enterprise Manager installation.
To enable Enterprise Manager Framework Security for the Oracle Management Service:
Change directory to the following directory in the Management Service home:
ORACLE_HOME/opmn/bin
Stop the Management Service, the Oracle HTTP Server, and the other application server components using the following command:
$PROMPT> ./opmnctl stopall
Change directory to the following directory in the Management Service home:
ORACLE_HOME/bin
Enter the following command:
$PROMPT> ./emctl secure oms
You will be prompted for the Enterprise Manager Root Password. Enter the SYSMAN password.
You will be prompted for the Agent Registration Password, which is the password required for any Management Agent attempting to secure with the Management Service. Specify an Agent Registration Password for the Management Service.
When the operation is complete, restart the Management Service, the Oracle HTTP Server, and OracleAS Web Cache:
$PROMPT> cd $ORACLE_HOME/opmn/bin $PROMPT> ./opmnctl startall
After the Management Service restarts, test the secure connection to the Management Service by browsing to the following secure URL using the HTTPS protocol:
https://hostname.domain:https_upload_port/em
For example:
https://mgmthost1.acme.com:1159/em
If the Management Service security has been enabled, your browser displays the Enterprise Manager Login page.
|
Note: The 1159 port number is the default secure port used by the Management Agents to upload data to the Management Service. This port number may vary if the default port is unavailable. |
|
Caution: While theemctl secure oms command provides immediate HTTPS browser access to the Grid Control Console by using the secure Management Agent upload port, it does not enable security for the default OracleAS Web Cache port that your administrators use to display the Grid Control Console.
To enable security for users who access the Grid Control through OracleAS Web Cache, refer to Oracle Application Server 10g Security Guide. |
Example 4-1 Sample Output of the emctl secure oms Command
$PROMPT> ./emctl secure oms Oracle Enterprise Manager 10g Release 5 Grid ControlCopyright (c) 1996, 2009 Oracle Corporation. All rights reserved.Securing OMS... Started.Securing OMS... Successful
Alternatively, you can enter the emctl secure oms command all on one line, but if you enter the command on one line, the passwords you enter will be displayed on the screen as you type the command.
Example 4-2 Usage of the emctl secure oms Command (II)
$PROMPT> emctl secure oms [-sysman_pwd <sysman password>][-reg_pwd <registration password>][-host <hostname>][-reset][-secure_port <secure_port>][-upload_http_port <upload_http_port>][-slb_port <slb port>][-slb_console_port <slb console port>][-root_dc <root_dc>][-root_country <root_country>][-root_state <root_state>][-root_loc <root_loc>][-root_org <root_org>][-root_unit <root_unit>] [-root_email <root_email>][-wallet <wallet_loc> -trust_certs_loc <certs_loc>] [-wallet_pwd <pwd>][-key_strength <strength>][-cert_validity <validity>]
The parameters are explained below:
sysman_pwd - Oracle Management Repository user password.
reg_pwd - The Management Agent registration password.
host - The host name to be used in the certificate used by the Oracle Management Service. You may need to use the SLB host name if there is an SLB before the Management Service.
reset - If the Oracle Management Service is secured with this option, a new root certificate is generated. All the agents and the Oracle Management Services need to be resecured for use with the new root certificate.
secure_port - The port to be used for secure communication. The default value is 4888.
upload_http_port - The port used for upload communications.
slb_port - This parameter is required when Server Load Balancer is used. It specifies the secure upload port configured in the Server Load Balancer.
slb_console_port - This parameter is required when Server Load Balancer is used. It specifies the secure upload port configured in the Server Load Balancer.
trust_certs_loc - The location of the trusted_certs.txt (required when third party certificates are used).
root_dc - The domain component used in the root certificate. The default value is com.
root_country - The country to be used in the root certificate. The default value is US.
root_state - The state to be used in the root certificate. The default value is CA.
root_loc - The location to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_org - The organization name to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_unit - The organizational unit to be used in the root certificate. The default value is EnterpriseManager on <hostname>.
root_email - The email address to be used in the root certificate. The default value is EnterpriseManager@<hostname>.
wallet: This is the directory where the wallet to be used in the https upload port is located.
wallet_pwd: This is the wallet password and is required only if the wallet is not an SSO wallet.
key_strength: The strength of the key to be used. Valid values are 512, 1024, 2048, and 4096.
cert_validity: The number of days for which the self-signed certificate is valid. The valid range is between 1 to 3650.
|
Note: Thekey_strength and cert_validity parameters are applicable only when the -wallet option is not used. |
You can check whether security has been enabled for the Management Service by entering the emctl status oms -secure command.
Example 4-3 Sample Output of the emctl secure status oms Command
$prompt> emctl status oms -secure Oracle Enterprise Manager 10g Release 5 Grid Control Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. Checking the security status of the OMS at location set in /OH/oms10g/sysman/config/emoms.properties... Done. OMS is secure on HTTPS Port 1159
When you install the Management Agent on a host, you must identify the Management Service that will be used by the Management Agent. If the Management Service you specify has been configured to take advantage of Enterprise Manager Framework Security, you will be prompted for the Agent Registration Password and Enterprise Manager Framework Security will be enabled for the Management Agent during the installation.
Otherwise, if the Management Service has not been configured for Enterprise Manager Framework Security or if the Registration Password was not specified during installation, then security will not be enabled for the Management Agent. In those cases, you can later enable Enterprise Manager Framework Security for the Management Agent.
To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent utility, which is located in the following directory of the Management Agent home directory:
AGENT_HOME/bin (UNIX) AGENT_HOME\bin (Windows)
The emctl secure agent utility performs the following actions:
Obtains an Oracle Wallet from the Management Service that contains a unique digital certificate for the Management Agent. This certificate is required in order for the Management Agent to conduct SSL communication with the secure Management Service.
Obtains an Agent Key for the Management Agent that is registered with the Management Service.
Configures the Management Agent so it is available on your network over HTTPS and so it uses the Management Service HTTPS upload URL for all its communication with the Management Service.
To enable Enterprise Manager Framework Security for the Management Agent:
Ensure that your Management Service and the Management Repository are up and running.
Change directory to the following directory:
AGENT_HOME/bin (UNIX) AGENT_HOME\bin (Windows)
Stop the Management Agent:
$PROMPT> ./emctl stop agent
Enter the following command:
$PROMPT> ./emctl secure agent (UNIX) $PROMPT> emctl secure agent (Windows)
The emctl secure agent utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.
|
Note: Alternatively, you can enter the command all on one line, but if you enter the command on one line, the password you enter will be displayed on the screen as you type:$PROMPT> ./emctl secure agent agent_registration_pwd (UNIX) $PROMPT> emctl secure agent agent_registration_pwd (Windows) |
shows sample output of the emctl secure agent utility.
Restart the Management Agent:
$PROMPT> ./emctl start agent
Confirm that the Management Agent is secure by checking the Management Agent home page.
|
Note: You can also check if the Agent Management is secure by running theemctl status agent -secure command, or by checking the Agent and Repository URLs in the output of the emctl status agent command. |
In the General section of the Management Agent home page (Figure 4-3), the Secure Upload field indicates whether or not Enterprise Manager Framework Security has been enabled for the Management Agent.
|
See Also: "Checking the Status of an Oracle Management Agent" in the Enterprise Manager online Help |
Example 4-4 Sample Output of the emctl secure agent Utility
$PROMPT> ./emctl secure agent Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. Securing agent... Started Securing agent... Successful.
Example 4-5 Sample Output of the emctl secure status agent Command
[oracle@stang14 bin]$ ./emctl status agent -secure Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. Checking the security status of the Agent at location set in /private/home/oracle/product/102/em/agent10g/sysman/config/emd.properties... Done. Agent is secure at HTTPS Port 3872. Checking the security status of the OMS at http://gridcontrol.oraclecorp.com:4889/em/upload/... Done. OMS is secure on HTTPS Port 4888
If you already have a secure Management Service running and you install an additional Management Service that uses the same Management Repository, you will need to enable Enterprise Manager Framework Security for the new Management Service. This task is executed using the same procedure that you used to secure the first Management Service, by running the emctl secure oms utility.
Because you have already established at least one Agent Registration Password and a Root Key in your Management Repository, they must be used for your new Management Service. Your secure Management Agents can then operate against either Management Service.
All the registration passwords assigned to the current Management Repository are listed on the Registration Passwords page in the Oracle Enterprise Manager 10g Grid Control Console.
If you install a new Management Service that uses a new Management Repository, the new Management Service is considered to be a distinct enterprise. There is no way for the new Management Service to partake in the same security trust relationship as another Management Service that uses a different Management Repository. Secure Management Agents of one Management Service will not be able to operate against the other Management Service.
By default, when you enable Enterprise Manager Framework Security on your Oracle Management Service there are no default restrictions on HTTP access. The Grid Control Console can also be accessed over HTTP and the Oracle Management Agents will be able to upload over HTTP as well as HTTPS.
However, it is important that only secure Management Agent installations that use the Management Service HTTPS channel are able to upload data to your Management Repository and Grid Control console is accessible via HTTPS only.
To restrict access so Management Agents can upload data to the Management Service only over HTTPS:
Stop the Management Service, the Oracle HTTP Server, and the other application server components:
$PROMPT> cd $ORACLE_HOME/opmn/bin $PROMPT> ./opmnctl stopall
Change directory to the following location in the Management Service home:
$ORACLE_HOME/bin
Enter the following command to prevent Management Agents from uploading data to the Management Service over HTTP:
$PROMPT> emctl secure lock -upload
|
Note:
|
Restart the Management Service, the Oracle HTTP Server, and the other application server components:
$PROMPT> cd $ORACLE_HOME/opmn/bin $PROMPT> ./opmnctl startall
Verify that you cannot access the Management Agent upload URL using the HTTP protocol:
For example, navigate to the following URL:
http://hostname.domain:4889/em/upload
You should receive an error message similar to the following:
ForbiddenYou don't have permission to access /em/upload on this server
Verify that you can access the Management Agent Upload URL using the HTTPS protocol:
For example, navigate to the following URL:
https://hostname.domain:4888/em/upload
You should receive the following message, which confirms the secure upload port is available to secure Management Agents:
Http XML File receiverHttp Recceiver Servlet active!
To allow the Management Service to accept uploads from unsecure Management Agents, use the following command:
$PROMPT> emctl secure unlock -upload
|
Note:
|
Example 4-6 Sample Output of the emctl secure lock Command
$prompt> emctl secure lock Oracle Enterprise Manager 10g Release 5 Grid Control Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. OMS Console is locked. Access the console over HTTPS ports. Agent Upload is locked. Agents must be secure and upload over HTTPS port.
Example 4-7 Sample Output of the emctl secure unlock Command
$prompt> emctl secure unlock Oracle Enterprise Manager 10g Release 5 Grid Control Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. OMS Console is unlocked. HTTP ports too can be used to access console. Agent Upload is unlocked. Unsecure Agents may upload over HTTP.
To restrict HTTP access to the Oracle Enterprise Manager 10g Grid Control Console, use the emctl secure lock -console command.
Enterprise Manager uses the Agent Registration password to validate that installations of Oracle Management Agents are authorized to load their data into the Oracle Management Service.
The Agent Registration password is created during installation when security is enabled for the Oracle Management Service.
|
Note: To avoid new Agents from being installed, you can delete all the registration passwords. |
You can use the Grid Control Console to manage your existing registration passwords or create additional registration passwords:
Click Setup at the top of any Grid Control Console page.
Click Registration Passwords.
Enterprise Manager displays the Registration Passwords page (Figure 4-4). The registration password you created when you ran the emctl secure oms command appears in the Registration Passwords table.
Use the Registration Passwords page to change your registration password, create additional registration passwords, or remove registration passwords associated with the current Management Repository.
When you create or edit an Agent Registration Password on the Registration Passwords page, you can determine whether the password is persistent and available for multiple Management Agents or to be used only once or for a predefined period of time.
For example, if an administrator requests to install a Management Agent on a particular host, you can create a one-time-only password that the administrator can use to install and configure one Management Agent.
On the other hand, you can create a persistent password that an administrator can use for the next two weeks before it expires and the administrator must ask for a new password.
To add a new Agent Registration Password, use the following emctl command on the machine on which the Management Service has been installed:
$PROMPT> emctl secure setpwd [sysman pwd] [new registration pwd]
The emctl secure setpwd command requires that you provide the password of the Enterprise Manager super administrator user, sysman, to authorize the resetting of the Agent Registration Password.
If you change the Agent Registration Password, you must communicate the new password to other Enterprise Manager administrators who need to install new Management Agents, enable Enterprise Manager Framework Security for existing Management Agents, or install additional Management Services.
As with other security passwords, you should change the Agent Registration Password on a regular and frequent basis to prevent it from becoming too widespread.
When you deploy a Management Service that is available behind a Server Load Balancer (SLB), special attention must be given to the DNS host name over which the Management Service will be available. Although the Management Service may run on a particular local host, for example myhost.mycompany.com, your Management Agents will access the Management Service using the host name that has been assigned to the Server Load Balancer. For example, oracleoms.mycompany.com.
As a result, when you enable Enterprise Manager Framework Security for the Management Service, it is important to ensure that the Server Load Balancer host name is embedded into the Certificate that the Management Service uses for SSL communications. To do so, enter the following commands:
This may be done by using emctl secure oms and specifying the host name in the with an extra -host parameter as follows:
Specify the -host parameter with the emctl secure oms command as follows:
$PROMPT>emctl secure oms -host <hostname>
Set UseCanonicalName directive to On in the OMS_Home/Apache/Apache/conf/httpd.conf file.
Enable security on the Management Service by entering the following command:
$PROMPT>emctl secure oms -host <slb_hostname> [-slb_console_port <slb UI port>] [-slb_port <slb upload port>] [other params]
Create virtual servers and pools on the Server Load Balancer.
Verify that the console can be accessed using the following URL:
https://slbhost:slb_console_port/em
Re-secure the Agents with Server Load Balancer by using the following command:
$PROMPT>emctl secure agent -emdWalletSrcUrl <SLB Upload url>
This section describes how to enable Security for the Oracle Management Repository. This section includes the following topics:
About Oracle Advanced Security and the sqlnet.ora Configuration File
Configuring the Management Service to Connect to a Secure Management Repository Database
Enabling Oracle Advanced Security for the Management Repository
Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
You enable security for the Management Repository by using Oracle Advanced Security. Oracle Advanced Security ensures the security of data transferred to and from an Oracle database.
To enable Oracle Advanced Security for the Management Repository database, you must make modifications to the sqlnet.ora configuration file. The sqlnet.ora configuration file is used to define various database connection properties, including Oracle Advanced Security parameters.
The sqlnet.ora file is located in the following subdirectory of the Database home:
ORACLE_HOME/network/admin
After you have enabled Security for the Management Repository and the Management Services that communicate with the Management Repository, you must also configure Oracle Advanced Security for the Management Agent by modifying the sqlnet.ora configuration file in the Management Agent home directory.
It is important that both the Management Service and the Management Repository are configured to use Oracle Advanced Security. Otherwise, errors will occur when the Management Service attempts to connect to the Management Repository. For example, the Management Service might receive the following error:
ORA-12645: Parameter does not exist
To correct this problem, be sure both the Management Service and the Management Repository are configured as described in the following sections.
|
Note: The procedures in this section describe how to manually modify thesqlnet.ora configuration file to enable Oracle Advanced Security. Alternatively, you can make these modifications using the administration tools described in the Oracle Database Advanced Security Administrator's Guide. |
If you have enabled Oracle Advanced Security for the Management Service database—or if you plan to enable Oracle Advanced Security for the Management Repository database—use the following procedure to enable Oracle Advanced Security for the Management Service:
Stop the Management Service:
$PROMPT> ORACLE_HOME/bin/emctl stop oms
Locate the following configuration file in the Management Service home directory:
ORACLE_HOME/sysman/config/emoms.properties
Using a text editor, add the entries described in the emoms.properties file.
The entries described in the table correspond to valid parameters you can set when you configure network data encryption for the Oracle Database.
|
See Also: "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server 10g Administrator's Guide |
Save your changes and exit the text editor.
Restart the Management Service.
$PROMPT> ORACLE_HOME/bin/emctl start oms
Table 4-4 Oracle Advanced Security Properties in the Enterprise Manager Properties File
| Property | Description |
|---|---|
|
Defines whether or not Enterprise Manager will use encryption between Management Service and Management Repository.Possible values are TRUE and FALSE. The default value is FALSE.For example:
|
|
|
Defines the Management Service encryption requirement.Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.The default value is REQUESTED. In other words, if the database supports secure connections, then the Management Service uses secure connections, otherwise the Management Service uses insecure connections. For example:
|
|
|
Defines the different types of encryption algorithms the client supports.Possible values should be listed within parenthesis. The default value is For example:
|
|
|
Defines the Client's checksum requirements. Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED. The default value is REQUESTED. In other words, if the server supports checksum enabled connections, then the Management Service uses them, otherwise it uses normal connections. For example:
|
|
|
This property defines the different types of checksums algorithms the client supports. Possible values should be listed within parentheses. The default value is ( MD5 ). For example:
|
To be sure your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available in the Oracle Database 10g documentation library.
The following instructions provide an example of how you can confirm that Oracle Advanced Security is enabled for your Management Repository database and its connections with the Management Service:
Locate the sqlnet.ora configuration file in the following directory of the database Oracle Home:
ORACLE_HOME/network/admin
Using a text editor, look for the following entries (or similar entries) in the sqlnet.ora file:
SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.CRYPTO_SEED = "abcdefg123456789"
|
See Also: "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server 10g Administrator's Guide |
Save your changes and exit the text editor.
After you have enabled Oracle Advanced Security for the Management Repository, you must also enable Advanced Security for the Management Agent that is monitoring the Management Repository:
Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Management Agent that is monitoring the Management Repository:
AGENT_HOME/network/admin (UNIX) AGENT_HOME\network\admin (Windows)
Using a text editor, add the following entry to the sqlnet.ora configuration file:
SQLNET.CRYPTO_SEED = "abcdefg123456789"
|
See Also: "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server 10g Administrator's Guide |
Save your changes and exit the text editor.
Restart the Management Agent.
You can configure third party certificates for:
Configuring Third Party Certificate for HTTPS Upload Virtual Host
Configuring Third Party Certificate for HTTPS Apache Virtual Host
You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:
Method I
Create a wallet for each OMS in the grid.
While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.
Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.
Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.
Run the following command on each Agent and restart the Agent:
emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>
Run the following command on each OMS:
emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
|
Note: If the wallet is not a single sign-on wallet, you will be prompted for the password. |
Method 2
Create a wallet for each OMS in the grid.
Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).
Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.
Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.
Run the following command on each OMS:
emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
|
Note: If the wallet is not a single sign-on wallet, you will be prompted for the password. |
Either re-secure the Agent by running the emctl secure agent command or import the trust points by running the emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file> command.
To configure the third party certificate for HTTPS Apache Virtual Host:
Create a wallet for each OMS in the grid. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.
Run the following command on each OMS:
emctl secure console -wallet <location of wallet>
|
Note: If the wallet is not a single sign-on wallet, your are prompted for the wallet's password. |
|
Caution: Before you use theemctl secure agent command to secure the Application Server Control Console, be sure to stop the Application Server Control Console. |
To configure security for the Application Server Control, use the following procedure:
Stop the Application Server Control Console by entering the following command in the IAS_HOME/bin directory:
$PROMPT> ./emctl stop iasconsole
Enter the following command in the ORACLE_HOME/bin directory:
$PROMPT> ./emctl secure em
Enterprise Manager secures the Application Server Control Console. Sample output of the emctl secure em command is shown in .
Start the Application Server Control Console by entering the following command in the IAS_HOME/bin directory:
$PROMPT> ./emctl start iasconsole
Test the security of the Application Server Control Console by entering the following URL in your Web browser:
https://hostname:port/
For example:
https://mgmthost1:1812/
Example 4-8 Sample Output from the emctl secure em Command
$PROMPT> ./emctl secure em Oracle Enterprise Manager 9.0.4 Copyright (c) 2002, 2003 Oracle Corporation. All rights reserved. Generating Standalone Console Root Key (this takes a minute)... Done. Fetching Standalone Console Root Certificate... Done. Generating Standalone Console Agent Key... Done. Generating Oracle Wallet for the Standalone Console Agent... Done. Configuring Agent for HTTPS... Done. EMD_URL set in /dsk01/oracle/appserver1/sysman/config/emd.properties Generating Standalone Console Java Keystore... Done. $PROMPT>
This section describes the architecture and configuration of security for the Oracle Enterprise Manager 10g Grid Control.
|
See Also: |
Oracle strongly recommends that you use the Secure Socket Layer (SSL) protocol and HTTPS for all connections to Enterprise Manager and that you use a valid digital security certificate.
To configure security for the Database Control:
Stop the Database Control by entering the following command in the ORACLE_HOME/bin directory (UNIX) or the ORACLE_HOME\bin (Windows):
$PROMPT> ./emctl stop dbconsole (UNIX) $PROMPT> emctl stop dbconsole (Windows)
Change directory to the ORACLE_HOME/bin directory or the ORACLE_HOME\bin (Windows) and enter the following emctl command
$PROMPT> ./emctl secure dbconsole (UNIX) $PROMPT> emctl secure dbconsole (Windows)
Enterprise Manager prompts you for the Enterprise Manager Root Password.
Enter the password for the SYSMAN database user.
Enterprise Manager prompts you to specify an Agent Registration Password, which is a new password that will be required for any Management Agents that attempt to connect to the Management Service.
Specify an Agent Registration Password for the Management Service.
Enterprise Manager prompts you to confirm the host name of the Management Service.
Enter the name of the host where the Management Service resides.
The emctl secure utility reconfigures the Management Service to enable Framework Security. If the Management Service is up and running, Enterprise Manager restarts the Management Service.
When the operation is complete, communications between the Enterprise Manager components is secure.
In addition, you can access the Grid Control Console using the HTTPS protocol.
Start the Database Control by entering the following command in the ORACLE_HOME/bin directory or the ORACLE_HOME\bin (Windows):
$PROMPT> ./emctl start dbconsole (UNIX) $PROMPT> emctl start dbconsole (Windows)
Test the security of the Database Control by entering the following URL in your Web browser:
https://hostname:port/em
For example:
https://dbhost1:1820/em
|
Note: Alternatively, you can enter theemctl secure dbconsole command all on one line, but if you enter the command on one line, the passwords you enter will be displayed on the screen as you type:
$PROMPT> emctl secure dbconsole sysman_pwd agent_reg_pwd |
The following topics are discussed in this section:
Credential Subsystem
Sudo and Powerbroker Support
PAM Support
Credentials are required to access targets such as databases, application servers, and hosts. By using appropriate credentials, you can:
Collect metrics in the background as well as real-time
Perform jobs like backup, patching, cloning etc.
Perform real-time target administration like start, stop etc.
Connect to My Oracle Support
The following types of credentials are available:
Monitoring Credentials are encrypted in the Management Agent and are used to monitor certain types of targets.
Preferred Credentials simplify access to managed targets by storing target login credentials in the Management Repository. With preferred credentials set, users can access an Enterprise Manager target that recognizes those credentials without being prompted to log into the target. Preferred credentials are set on a per user basis, thus ensuring the security of the managed enterprise environment.
Job Credentials are used by the Job System and override Preferred Credentials. You can select the type of credentials you want to use to run the job on the selected targets.
User-Defined Metrics Collection Credentials are associated with user-defined metrics collection.
You can manage passwords using EMCLI verbs. Using EMCLI, you can:
Change the database user password in both the target database and Enterprise Manager.
emcli update_db_password -change_at_target=Yes|No -change_all_reference=Yes|No
Update a password which has already been changed at the host target.
emcli update_host_password -change_all_reference=Yes|No
Privilege delegation allows a logged-in user to perform an activity with the privileges of another user. Sudo and PowerBroker are privilege delegation tools that allow a logged-in user to be assigned these privileges. Typically, the privileges that are granted to a specific user are administered centrally. For example, the sudo command can be used to run a script that requires root access:
sudo root root.sh
In the invocation of sudo in the example above, an administrator can use the sudo command to run a script as root provided he has been granted the appropriate privileges by the system administrator. Enterprise Manager preferred credentials allow you to use two types of privilege delegation tools: Sudo and PowerBroker. You can use EMCLI or the Manage Privilege Delegation Settings page to set/edit privilege delegation settings for a host. See the Enterprise Manager Command Line Interface guide for more information on using the command line.
Sudo: Sudo allows a permitted user to execute a command as the super user or another user, as specified in the sudoers file. If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (Note: In the default configuration this is the user's password, not the root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).Sudo determines who is an authorized user by consulting the file /etc/sudoers file.
PowerBroker: Symark PowerBroker enables UNIX system administrators to specify the circumstances under which other people may run certain programs such as root (or other important accounts). The result is that responsibility for such actions as adding user accounts, fixing line printer queues, and so on, can be safely assigned to the appropriate people, without disclosing the root password. The full power of root is thus protected from potential misuse or abuse-for example, modifying databases or file permissions, erasing disks, or more subtle damage. Symark PowerBroker can access existing programs as well as its own set of utilities that execute common system administration tasks. Utilities being developed to run on top of Symark PowerBroker can manage passwords, accounts, backups, line printers, file ownership or removal, rebooting, logging people out, killing their programs, deciding who can log in to where from where, and so on. They can also provide TCP/IP, Load Balancer, cron, NIS, NFS, FTP, rlogin, and accounting subsystem management. Users can work from within a restricted shell or editor to access certain programs or files as root. See your Sudo or PowerBroker documentation for detailed setup and configurartion information.
Enterprise Manager allows you to create privilege delegation settings either by creating the setting directly on a host target, or by creating a PDP setting template that you can apply to multiple hosts.
<screenshot here>
To create a privilege delegation setting directly on a host:
Navigate to the Setup page and click Manage Privilege Delegation Settings on the left panel.
For any host target appearing in the table, click Edit. Enterprise Manager takes you to the Host Privilege Delegation Setting page.
Select a privilege delegation type (Sudo or PowerBroker).
Enter the privilege delegation command to be used and, in the case of PowerBroker, the optional Password Prompt.
Click Update to apply the settings to the host.
To protect the integrity of sensitive data in Enterprise Manager, a signing on verification method known as the emkey is used. Encryption key is the master key that is used to encrypt/decrypt sensitive data,such as passwords and preferred credentials ,which is stored in the Repository. The key itself is originally stored in the Repository and it needs to be in the Repository any time a new OMS is being installed. However, once all OMSs have been installed. The key should be removed from the Repository. By storing the key separately from Enterprise Manager schema, we ensure that the sensitive data such as Preferred Credentials in the Repository remain inaccessible to the schema owner and other SYSDBA users (Privileged users who can perform maintenance tasks on the database) in the Repository. Moreover, keeping the key from the schema will ensure that sensitive data remain inaccessible while Repository backups are accessed. Further, the schema owner should not have access to the OMS/Repository Oracle homes.
The emkey is an encryption key that is used to encrypt and decrypt sensitive data in Enterprise Manager such as host passwords, database passwords and others. By defalt, the emkey is stored in the $ORACLE_HOME/sysman/config/emkey.ora file. The location of this file can be changed.
|
WARNING: If the |
During startup, the Oracle Management Service checks the status of the emkey. If the emkey has been properly configured, it uses it encrypting and decrypting data. If the emkey has not been configured properly, the following error message is displayed.
Example 4-9 emctl start oms Command
$prompt> emctl start omsOracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.Starting HTTP Server ...Starting Oracle Management Server ...Checking Oracle Management Server Status ...Oracle Management Server is not functioning because of the following reason:The Em Key is not configured properly. Run "emctl status emkey" for more details.
The emkey is an encryption key that is used to encrypt and decrypt sensitive data in Enterprise Manager such as host passwords, database passwords and others. By defalt, the emkey is stored in the $ORACLE_HOME/sysman/config/emkey.ora file. The location of this file can be changed.
|
WARNING: If the |
During startup, the Oracle Management Service checks the status of the emkey. If the emkey has been properly configured, it uses it encrypting and decrypting data. If the emkey has not been configured properly, the following error message is displayed.
Example 4-10 emctl start oms Command
$prompt> emctl start omsOracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.Starting HTTP Server ...Starting Oracle Management Server ...Checking Oracle Management Server Status ...Oracle Management Server is not functioning because of the following reason:The Em Key is not configured properly. Run "emctl status emkey" for more details.
All operations performed by Enterprise Manager users such as creating users, granting privileges, starting a remote job like patching or cloning, need to be audited to ensure compliance with the Sarbanes-Oxley Act of 2002 (SAS 70). This act defines standards an auditor must use to assess the contracted internal controls of a service organization. Auditing an operation enables an administrator to monitor, detect, and investigate problems and enforce enterprise wide security policies.
Irrespective of how the user has logged into Enterprise Manager, if auditing is enabled, each user action is audited and the audit details are stored in a record.
You can configure the Enterprise Manager Audit System by using the following options:
You can use the following emcli commands:
enable_audit: Enables auditing for all user operations.
disable_audit: Disables auditing for all user operations.
show_audit_actions_list: Shows a list of the user operations being audited.
show_audit_settings: Shows the audit status, operation list, externalization service details, and purge period details.
To set up the audit system in Enterprise Manager:
The audit function is turned off by default. Log in to the Enterprise Manager Management Repository as the sysman user. To turn on the audit function, enter the following commands:
SQL> exec mgmt_audit_admin.enable_audit; SQL> commit;
After enabling auditing, you must restart the Oracle Management Service to ensure that this change has taken effect.
You can then login to Enterprise Manager and perform other user operations.
|
Notes:
|
Audit data needs to be protected and maintained for several years. The volume of audit data may become very large and impact the performance of the system. To limit the amount of data stored in the repository, the audit data must be externalized or archived at regular intervals. The archived audit data is stored in an XML file complying with the ODL format. To externalize the audit data, the EM_AUDIT_EXTERNALIZATION API is used. Records of the format <file-prefix>.NNNNN.xml, where NNNN is a number are generated. The numbers start with 00001 and continue to 99999.
You can set up the audit externalization service for exporting audit data into the file system by using the following emcli command:
update_audit_setting -file_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data_retention_period=<period in days>: Sets up the externalization service for exporting audit data to the file system.
file_prefix: The prefix of the file which contains the audit data.
directory_name: The name of the database directory that is mapped to the OS directory.
file_size: The file size is the size of the file the data is written to.
data_retention_period: The period for which the audit data is to be retained inside the repository.
For more details on the EMCLI verbs, refer to Enterprise Manager Command Line Reference.
You can search for audit data that has been generated over a specified period. You can also search for the following:
Audit details of a specific user operation or all user operations.
Audit details of operations with a Success or Failure status or All operations.
To view the audit data, click the Setup option. On the Setup page, click the Management Services and Repository tab. The Overview page is displayed. Click the Audit Data link under the Audit section. The Audit Data page is displayed.
Specify the search criteria in the fields and click Go. The results are displayed in the Summary table.
To view the details of each record that meets the search criteria, select Detailed in the View drop-down list. To drill down to the full record details, click on the Timestamp. The Audit Record page is displayed.
| Field Name | Description |
|---|---|
| General | |
| Operation Timestamp | The date and time on which the operation took place. |
| Administrator | The id of the administrator who has logged into Enterprise Manager. |
| Operation | The type of operation being audited. |
| Status | The status of the operation which can be success or failure. |
| Message | A descriptive message indicating the status of the operation. |
| Normalized Timestamp | This is the UTC timestamp. |
| Client Information | |
| Session | This can either be the HTTP Session ID or the DBMS Session ID. |
| IP Address | The IP address of the client's host machine. |
| Hostname | The name of the client's host machine. |
| Upstream Component Type | The type of client, Console, Web Service, EMCLI, being used. |
| Authentication Type | The nature of the session (HTTP Session, DB Session). |
| Upstream Component Name | The name of the client being used. |
| OMS Information | |
| Hostname | The host name of the Oracle Management Service. |
| IP Address | The IP address of the Oracle Management Service. |
| Instance ID | The Instance ID of the Oracle Management Service. |
| Operation Specific Information | |
| Object Name | The operation being performed on an object |
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
