Chapter 4 Managing Oracle VM Manager Authentication
Managing Oracle VM Manager authentication includes changing the password for the administration user, restricting user authentication to specific groups, and configuring LDAP and Active Directory authentication providers.
4.1 Default Oracle VM Manager Users
During installation, several user accounts are created in Oracle WebLogic Server. These users allow you to log in to Oracle VM Manager or to perform various administration tasks. Some user accounts are created to enable internal functions within Oracle VM Manager.
User |
Description |
---|---|
|
Oracle VM Manager user The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool. |
|
Oracle WebLogic Server administration user The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool. |
|
Internal user account that is part of the Oracle Fusion Middleware (FMW) infrastructure. The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool. |
|
Internal user account that connects to the Oracle MySQL database user instance for Oracle VM Manager. The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool. |
|
Internal user account that establishes connection between the Oracle VM Manager Web Interface and the Oracle VM Web Services API. This user is created with a randomly generated 128 character password that consists of mixed case letters, digits, and special characters. The password is used only once to register an SSL client certificate that the Oracle VM Manager Web Interface uses to connect to the Oracle VM Web Services API. To change the password for this user account, use the Oracle WebLogic Server Administration Console. Note
|
Related Information.
-
For details about the Oracle VM Manager Administrator Tool, see Section 3.1, “Oracle VM Manager Administrator Tool (ovm_admin)”.
-
For an example of how to change passwords with the Oracle VM Manager Administrator Tool, see Section 3.1.4, “Changing User Passwords”.
-
For instructions on changing the Oracle VM Manager user password, see Section 3.1.4, “Changing User Passwords”.
-
For details about changing user passwords in the Oracle WebLogic Server Administration Console, navigate to the Modify users topic in the Oracle WebLogic Server online help.
4.2 Changing the Oracle VM Manager User Password
The Oracle VM Manager user lets you log in to the Oracle VM Manager Web Interface. The default
username is admin
. You set the password for this
user when you install Oracle VM Manager. By default, the Oracle VM Manager user has
the same password as the OracleSystemUser
and the
weblogic
users. To secure your environment, you
should change the password for the Oracle VM Manager user if you intend to
share the Oracle VM Manager user credentials.
To change the password for the Oracle VM Manager user, do the following:
-
Start an ssh session to the Oracle VM Manager host computer as the root user.
-
Change to the following directory:
/u01/app/oracle/ovm-manager-3/bin
-
Run the following command: # ./ovm_admin --modifyuser
-
Follow the prompts to change the user password.
This procedure involves using the Oracle VM Manager Administrator Tool to modify the user password. Refer to Section 3.1, “Oracle VM Manager Administrator Tool (ovm_admin)” for more information about the Administrator Tool. For an example of changing user passwords, see Section 3.1.4, “Changing User Passwords”.
4.3 Restricting User Authentication to Oracle WebLogic Server Groups
Configure Oracle VM Manager to restrict authentication to users in specific Oracle WebLogic Server groups, such as administrative groups, as follows:
-
Start an ssh session to the Oracle VM Manager host computer.
-
Open the following file for editing:
/etc/sysconfig/ovmm
. -
Specify the Oracle WebLogic Server user group that can authenticate to Oracle VM Manager as the value for the
AUTHORIZED_GROUPS
entry.Enclose the value in double quotes and use a comma to separate multiple values, for example:
AUTHORIZED_GROUPS="group1,group2,group3"
-
Save and close
/etc/sysconfig/ovmm
. -
Restart Oracle VM Manager to apply the changes.
Only users who belong to the groups that you specify can
authenticate to Oracle VM Manager. If the
AUTHORIZED_GROUPS
entry does not exist, or has no
value, then all Oracle WebLogic Server users can authenticate to Oracle VM Manager.
For more information about working with users and groups, navigate to the Manage users and groups topic in the Oracle WebLogic Server online help.
4.4 Enabling LDAP and Active Directory Authentication
Oracle VM Manager is an application that runs on Oracle WebLogic Server. For this reason, Oracle VM Manager supports any authentication providers that Oracle WebLogic Server supports.
To configure Oracle VM Manager to authenticate against an LDAP or Active Directory service, you must add the directory service as an authentication provider in Oracle WebLogic Server, as follows:
The Oracle VM Manager upgrade process does not save and restore any configurations you create for external authentication providers. If you enable LDAP or Active Directory authentication and then upgrade Oracle VM Manager, you must complete the following steps after the upgrade to re-enable authentication.
-
Open the Oracle WebLogic Server Administration Console at:
https://
hostname
:7002/consoleWhere
hostname
is the Oracle VM Manager hostname or IP address. -
Log in as the
weblogic
user. -
Click Lock & Edit to modify the domain.
-
From the Domain Structure pane, select Security Realms, and then select myrealm.
The settings page for the security realm displays.
-
Select the Providers tab and locate the Authentication Providers table.
-
Click New to create an authentication provider.
-
Specify a name for the authentication provider, select LDAPAuthenticator as the type of authentication provider, and then click OK.
The new authentication provider displays in the Authentication Providers table.
-
Change the authentication sequence so that the LDAP authentication provider takes priority over other authentication providers.
-
Click Reorder from the Authentication Providers table.
-
Move the LDAP authentication provider to the top of the list and then click OK.
-
-
Select the LDAP authentication provider you created from the Authentication Providers table.
The settings page displays.
-
On the Common tab, select SUFFICIENT as the value for Control Flag and then click Save.
-
Select the Provider Specific tab, configure the authentication provider as appropriate, and then click Save.
-
Click Activate Changes to apply your changes.
-
Restart the Oracle VM Manager service as root:
# service ovmm restart
Verify that the LDAP authenticator is configured and that the LDAP users and groups are populated in Oracle WebLogic Server, as follows:
-
Log in to the Oracle WebLogic Server Administration Console.
-
From the Domain Structure pane, select Security Realms, and then select myrealm.
-
Select the Users and Groups tab.
-
Verify that the LDAP users and groups are populated as appropriate.