1. Cloud Control Security Guide
  2. Security Best Practices for Database Management in Enterprise Manager
  3. Kerberos and RADIUS Authentication
  4. One-time Database Target Login Using Any Supported Credential Type

One-time Database Target Login Using Any Supported Credential Type

You can perform one-time database target login using any of the supported credential types, instead of being forced to pre-define a named credential and then use that to log in to the database target. This is useful in situations where you do not want to save any credentials or keytab files in Enterprise Manager and want to use a local file (say on your laptop) to log in each time. This file can then be updated independent of Enterprise Manager.

When you select the New radio button for Credential on the database login page, a drop down menu displays allowing you to select from a list of credential types enabled for the database target, as shown in the following graphic.


Graphic shows a credential type selector for one-time login.

Enabling One-time Login

You enable one-time login using multiple credential types as well as enabling support for the two new credential types (RADIUS and Kerberos Keytab) via the OMS property oracle.sysman.db.multiCredTypeLogin.

emctl set property -name oracle.sysman.db.multiCredTypeLogin -value true

A value of false (or property not set) will disable this functionality and revert to the authentication functionality from Oracle Enterprise Manager 13c Release 5 Update 5 (13.5.0.5) and earlier. The default value is false if the property is absent.

Customizing the Credential Type Selection Menu for One

You can customize the list of credential types that appear in the Credential Type selection menu for one-time login shown above via the following OMS properties :

  • emctl set property -name oracle.sysman.db.enable_radius_auth -value true

    Enable RADIUS. Default is false if property is absent.

  • emctl set property -name oracle.sysman.db.enable_kerberos_auth -value true

    Enable both Kerberos-based credential types for one-time login on the database login page. The default is false if the property is absent.

Note:

None of the above property setting/changes require a restart of the OMS.

Example:

Say you want to enable one-time login to database targets using Kerberos username-password or Kerberos username-keytab. You would set the following OMS properties to enable the credential type drop-down on the database login page:

emctl set property -name oracle.sysman.db.multiCredTypeLogin -value true

AND

emctl set property -name oracle.sysman.db.enable_kerberos_auth -value true

If the above OMS properties are not set, you will still be able to define named credentials for Kerberos or RADIUS and use those to log into the database targets.