27.10 EMCTL Security Commands

This section explains the EMCTL security commands.

The topics covered in this section are:

• EMCTL Secure Commands

• Security diagnostic commands

• EMCTL EM Key Commands

• Configuring Authentication

27.10.1 EMCTL Secure Commands

Table 27-6 lists the general EMCTL security commands.

Table 27-4 EMCTL Secure Commands

EMCTL Command	Description
emctl secure console [-sysman_pwd <pwd>] (-wallet <wallet_loc>| -self_signed) [-key_strength <strength>] [-cert_validity <validity>]	Sets up the SSL configuration for the HTTPS console port of the OMS.
emctl secure lock [-sysman_pwd <pwd>] [-console] [-upload]	Locks the OMS upload and console, thereby avoiding HTTP access to the OMS. The -console and -upload parameters are optional. The -console parameter locks and prevents HTTP access to the EM console, in which case, the EM console can be accessed only over HTTPS. The -upload parameter prevents the Management Agents from uploading data to the OMS over HTTP, due to which the Management Agents can connect to the OMS only over HTTPS.
emctl secure unlock [-sysman_pwd <pwd>] [-console] [-upload]	Unlocks the OMS upload and console thereby allowing HTTP access to the OMS. The -console and -upload parameters are optional. The -console parameter unlocks the console for access over HTTP as well. The -upload parameter unlocks the upload activity thereby allowing the Management Agents to upload data to the OMS over HTTP as well.
emctl secure createca [-sysman_pwd <pwd>] [-root_country <root_country>] [-root_state <root_state>] [-root_org <root_org>] [-root_unit <root_unit>] [-key_strength <strength>] [-cert_validity <validity>]	Creates a new Certificate Authority (CA) which is used to issue certificates during subsequent securing of OMS and Management Agents.
emctl secure setpwd [sysman password] [new registration password]	Adds a new Management Agent registration password.
emctl secure sync	Verifies if the Management Repository is up.
emctl secure create_admin_creds_wallet [-admin_pwd <pwd>] [-nodemgr_pwd <pwd>]	Re-creates the Administrator Credentials wallet.
emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>] [-host <hostname>] [-ms_hostname <Managed Server hostname>] [slb_port <SLB HTTPS upload port>] [-slb_console_port <SLB HTTPS console port>] [-no_slb] [-secure_port <OHS HTTPS upload Port>] [-upload_http_port <OHS HTTP upload port>] [-reset] [-console] [-force_newca] [-lock_upload] [-lock_console] [-unlock_upload] [-unlock_console] [-wallet <wallet_loc> -trust_certs_loc <certs_loc>] [-key_strength <strength>] [-sign_alg <md5|sha1|sha256|sha384|sha512>] [-cert_validity <validity>] [-protocol <protocol>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>]	The emctl secure oms command generates a root key within the Management Repository, modifies the WebTier to enable an HTTPS channel between the OMS and Management Agents, and enables the OMS to accept requests from the Management Agents using the Enterprise Manager Framework Security.
emctl secure wls [-sysman_pwd <sysman password>] (-jks_loc <loc> -jks_pvtkey_alias <alias> | -wallet <loc> | -use_demo_cert)	The emctl secure wls command secures the WebLogic Server.

The parameter descriptions for the above commands are explained below.

• -host: Indicates the Software Load Balancer (SLB) or virtual host name.

• -ms_hostname: Indicates the actual host name of the machine where the OMS is running.

• -slb_port: Indicates the HTTPS port configured on SLB for uploads.

• -slb_console_port: Indicates the HTTPS port configured on SLB for console access.

• -no_slb: Removes the SLB configuration.

• -secure_port : Specifies the HTTPS upload port change on WebTier.

• -upload_http_port: Specifies the HTTP upload port change on WebTier.

• -reset: Creates new CA.

• -force_newca: Forces OMS to secure with the new CA, even when there are Management Agents secured with the older CA.

• -console: Creates a certificate for console HTTPS port as well.

• -lock_upload: Locks upload.

• -lock_console: Locks console.

• -unlock_upload: Unlocks upload.

• -unlock_console: Unlocks console.

• -wallet: Indicates the directory where the external wallet is located.

• -trust_certs_loc: Indicates the file containing all the trusted certificates.

• -key_strength: 512|1024|2048

• -sign_alg: Signature Algorithm; md5|sha1|sha256|sha384|sha512.

• -cert_validity: Indicates the number of days the certificate should be valid. The minimum value is 1 and the maximum value is 3650.

• -protocol: Indicates the SSL protocol to be used on WebTier. The valid values for <protocol> are the allowed values for Apache's SSL protocol directive.

• -jks_loc: Indicates the location of JKS containing the custom certificate for administrator and managed servers.

• -jks_pvtkey_alias: Indicates the JKS private key alias.

• -jks_pwd: Indicates the JKS key store password.

• -jks_pvtkey_pwd: Indicates the JKS private key password.

• -wallet: Indicates the location of the wallet containing the custom certificate for administrator and managed servers.

• -use_demo_cert: Configures the demonstration certificate for administrator and managed servers.

27.10.2 Security diagnostic commands

Table 27-5 lists the EMCTL security diagnostic commands.

Table 27-5 EMCTL Security Diagnostic Commands

EMCTL Command	Description
emctl secdiag openurl -url <url> [-trust_store <location of jks or base64 file>] [-ssl_protocol <protocol>] [-cipher <low|medium|high|some_ciphersuite_name>] [-proxy_host <host> -proxy_port <port>] [-proxy_realm <realm>] [-proxy_user <user> -proxy_pwd <pwd>]	Diagnoses the connectivity issues to the specified URL. The parameter descriptions are as follows: -url: Indicates the URL to be tested. -trust_store: Indicates the location of the trust store. It can be a jks or base64 file. If it is not specified, the connection will be blindly trusted. -ssl protocol: Indicates the protocol to be used to make the connection. -cipher: Indicates the cipher suites to be used. You can specify low, medium, high or a cipher suite name. -proxy_host: Indicates the host name of the proxy server. -proxy_port: Indicates the proxy server's port number. -proxy_realm: Indicates the proxy server's realm. -proxy_user: Indicates the proxy user ID. -proxy_password: Indicates the proxy user password.
emctl secdiag dumpcertsinrepos -repos_conndesc <connect desriptor> [-repos_pwd <pwd>]	Displays the trust certificates stored in the specified repository.
emctl secdiag dumpcertsinfile -file <location of jks/sso/p12/base64 file>	Displays the trust certificates present in the specified key store, or wallet, or base64 file.

27.10.3 EMCTL EM Key Commands

Table 27-6 lists the EMCTL EM Key commands.

Table 27-6 EMCTL EM Key Commands

EMCTL Command	Description
emctl status emkey [-sysman_pwd <pwd>]	Displays the health or status of the emkey.
emctl config emkey -copy_to_credstore [-sysman_pwd <pwd>]	Copies the emkey from the Management Repository to the Credential Store.
emctl config emkey -remove_from_repos [-sysman_pwd <pwd>]	Removes the emkey from the Management Repository.
emctl config emkey -copy_to_file_from_credstore -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file>	Copies the emkey from the Credential Store to the specified file.
emctl config emkey -copy_to_file_from_repos (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>	Copies the emkey from the Management Repository to the specified file.
emctl config emkey -copy_to_credstore_from_file -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file>	Copies the emkey from the specified file to the credential store.
emctl config emkey -copy_to_repos_from_file (-repos_host <host> -repos_port <port> -repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd <pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>	Copies the emkey from the specified file to the Management Repository.

27.10.4 Configuring Authentication

This section explains the EMCTL commands for configuring authentications.

The commands covered in this section are:

• Configuring OSSO Authentication

• Configuring OAM Authentication

• Configuring LDAP (OID and AD) Authentication

• Configuring Repository Authentication (Default Authentication)

The parameter descriptions for all these commands are as below:

• -enable_auto_provisioning: Enables automatic-provisioning in EM, wherein external LDAP users need not be provisioned manually in EM.

• -auto_provisioning_minimum_role <min_role>: Automatically provisions only those external users in EM who have the min_role granted to them in LDAP.

• -minimum_privilege <min_priv>: Prevents access to EM to users who do not have the min_priv granted to them.

• -use_ssl: Indicates the SSL to connect to the LDAP server.

• -cert_file <cert>: Indicates the LDAP server certificate to establish trust while connecting to LDAP server over SSL. Specify this option if the LDAP server has the certificate signed by a non-popular (or non-trusted) certificate authority.

  Note:

  This parameter accepts only a single certificate. Importing certificate chains is not supported. Import the certificate using keytool utility before running this command.

• -trust_cacerts: Establishes trust to the LDAP server's certificate while connecting to the LDAP server. This parameter is typically used if the certificate is signed by a well known certificate authority.

• -keystore_pwd <passwd>: Indicates the password for the default DemoTrust.jks keystore (if the default password has changed), or any custom keystore to which the LDAP server's certificate will be imported as a part of validation.

• -use_anonymous_bind: Uses anonymous bind to connect to LDAP server.

27.10.4.1 Configuring OSSO Authentication

EMCTL OSSO authentication command configures the Enterprise Manager to use the Oracle Application Server Single Sign-On to register any single sign-on user as an Enterprise Manager administrator. The EMCTL command to configure OSSO authentication is:

emctl config auth sso -ossoconf <conf file loc> -dasurl <DAS URL> [-unsecure] [-sysman_pwd <pwd>] [-domain <domain>] -ldap_host <ldap host> -ldap_port <ldap port> -ldap_principal <ldap principal> [-ldap_credential <ldap credential>] -user_base_dn <user base DN> -group_base_dn <group base DN> [-logout_url <sso logout url>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-use_anonymous_bind] [-keystore_pwd <passwd>]

For example, emctl config auth sso -ossoconf $T_WORK/osso.conf -dasurl "http://xxx.oracle.com:11" -sysman_pwd sysman -ldap_host xxx.oracle.com -ldap_port 111 -ldap_principal cn=orcladmin -ldap_credential ackdele1 -user_base_dn "cn=Users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=Groups,dc=us,dc=oracle,dc=com" -logout_url "http://xxx.oracle.com:11/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https//xyy.oracle.com:216/em.

27.10.4.2 Configuring OAM Authentication

Oracle Access Manager authentication is the Oracle Fusion Middleware single sign-on solution. This authentication scheme is used for data centers that have standardized on Oracle Access Manager as the central tool for authentication across all enterprise applications. The EMCTL command to configure OAM authentication is:

emctl config auth oam [-sysman_pwd <pwd>] -oid_host <host> -oid_port <port> -oid_principal <principal> [-oid_credential <credential>] [-use_anonymous_bind] -user_base_dn <dn> -group_base_dn <dn> -oam_host <host< -oam_port <port> [-logout_url <url>] [-is_oam10g] [-user_dn <dn>] [-group_dn <dn>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-keystore_pwd <passwd>]

For example, emctl config auth oam -oid_host "xxx.oracle.com" -oid_port "111" -oid_principal "cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=groups,dc=us,dc=oracle,dc=com" -oam_host "xxx.oracle.com" -oam_port "555" -oid_credential "eldleco1" -sysman_pwd "sysman" -logout_url http://xxx.oracle.com:23716/oam/server/logout?end_url=https://yyy.oracle.com:5416/em -enable_auto_provisioning -auto_provisioning_minimum_role “EM_DBA".

27.10.4.3 Configuring LDAP (OID and AD) Authentication

The EMCTL command for configuring OID authentication is as below. For AD, replace the command syntax emctl config auth oid below with emctl config auth ad. All other parameters remain the same.

OID authentication command configures the Oracle Internet Directory as the identity store for all the applications to authenticate it's users against the OID.

Similarly, AD authentication command configures the Microsoft Active Directory as the identity store for all the applications to authenticate it's users against the AD.

emctl config auth oid -ldap_host <ldap host> -ldap_port <ldap port> -ldap_principal <ldap principal> [-ldap_credential <ldap credential>] [-sysman_pwd <pwd>] -user_base_dn <user base DN> -group_base_dn <group base DN> [-user_dn <dn>] [-group_dn <dn>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-use_anonymous_bind] [-keystore_pwd <passwd>]

For example, emctl config auth oid -ldap_host "xxx.oracle.com" -ldap_port "111" -ldap_principal "cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=groups,dc=us,dc=oracle,dc=com" -ldap_credential "elecmee1" -sysman_pwd "sysman" –use_ssl –cert_file “/scratch/oidcert.txt".

27.10.4.4 Configuring Repository Authentication (Default Authentication)

The repository authentication command validates the user credentials against the Management Repository for authentication. The EMCTL command to configure the repository authentication is:

emctl config auth repos [-sysman_pwd <pwd>]