Chapter 4 Managing Oracle VM Manager Authentication

Managing Oracle VM Manager authentication includes changing the password for the administration user, restricting user authentication to specific groups, and configuring LDAP and Active Directory authentication providers.

4.1 Default Oracle VM Manager Users

During installation, several user accounts are created in Oracle WebLogic Server. These users allow you to log in to Oracle VM Manager or to perform various administration tasks. Some user accounts are created to enable internal functions within Oracle VM Manager.

User	Description
admin	Oracle VM Manager user The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool.
weblogic	Oracle WebLogic Server administration user The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool.
OracleSystemUser	Internal user account that is part of the Oracle Fusion Middleware (FMW) infrastructure. The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool.
ovs	Internal user account that connects to the Oracle MySQL database user instance for Oracle VM Manager. The password for this user is specified during installation of Oracle VM Manager. To change the password, use the Oracle VM Manager Administrator Tool.
appframework	Internal user account that establishes connection between the Oracle VM Manager Web Interface and the Oracle VM Web Services API. This user is created with a randomly generated 128 character password that consists of mixed case letters, digits, and special characters. The password is used only once to register an SSL client certificate that the Oracle VM Manager Web Interface uses to connect to the Oracle VM Web Services API. To change the password for this user account, use the Oracle WebLogic Server Administration Console. Note During an upgrade of Oracle VM Manager this user is replaced with a new account with a new randomly generated password. You must not delete this user account. Deleting the user account breaks the internal connection between the Oracle VM Manager Web Interface and the Oracle VM Web Services API and requires you to re-install Oracle VM Manager.

Related Information. 

• For details about the Oracle VM Manager Administrator Tool, see Section 3.1, “Oracle VM Manager Administrator Tool (ovm_admin)”.

• For an example of how to change passwords with the Oracle VM Manager Administrator Tool, see Section 3.1.4, “Changing User Passwords”.

• For instructions on changing the Oracle VM Manager user password, see Section 3.1.4, “Changing User Passwords”.

• For details about changing user passwords in the Oracle WebLogic Server Administration Console, navigate to the Modify users topic in the Oracle WebLogic Server online help.

4.2 Changing the Oracle VM Manager User Password

The Oracle VM Manager user lets you log in to the Oracle VM Manager Web Interface. The default username is admin. You set the password for this user when you install Oracle VM Manager. By default, the Oracle VM Manager user has the same password as the OracleSystemUser and the weblogic users. To secure your environment, you should change the password for the Oracle VM Manager user if you intend to share the Oracle VM Manager user credentials.

To change the password for the Oracle VM Manager user, do the following:

1. Start an ssh session to the Oracle VM Manager host computer as the root user.

2. Change to the following directory: /u01/app/oracle/ovm-manager-3/bin

3. Run the following command: # ./ovm_admin --modifyuser

4. Follow the prompts to change the user password.

This procedure involves using the Oracle VM Manager Administrator Tool to modify the user password. Refer to Section 3.1, “Oracle VM Manager Administrator Tool (ovm_admin)” for more information about the Administrator Tool. For an example of changing user passwords, see Section 3.1.4, “Changing User Passwords”.

4.3 Restricting User Authentication to Oracle WebLogic Server Groups

Configure Oracle VM Manager to restrict authentication to users in specific Oracle WebLogic Server groups, such as administrative groups, as follows:

1. Start an ssh session to the Oracle VM Manager host computer.

2. Open the following file for editing: /etc/sysconfig/ovmm.

3. Specify the Oracle WebLogic Server user group that can authenticate to Oracle VM Manager as the value for the AUTHORIZED_GROUPS entry.

   Enclose the value in double quotes and use a comma to separate multiple values, for example:

   AUTHORIZED_GROUPS="group1,group2,group3"

4. Save and close /etc/sysconfig/ovmm.

5. Restart Oracle VM Manager to apply the changes.

Only users who belong to the groups that you specify can authenticate to Oracle VM Manager. If the AUTHORIZED_GROUPS entry does not exist, or has no value, then all Oracle WebLogic Server users can authenticate to Oracle VM Manager.

For more information about working with users and groups, navigate to the Manage users and groups topic in the Oracle WebLogic Server online help.

4.4 Enabling LDAP and Active Directory Authentication

Oracle VM Manager is an application that runs on Oracle WebLogic Server. For this reason, Oracle VM Manager supports any authentication providers that Oracle WebLogic Server supports.

To configure Oracle VM Manager to authenticate against an LDAP or Active Directory service, you must add the directory service as an authentication provider in Oracle WebLogic Server, as follows:

Note

The Oracle VM Manager upgrade process does not save and restore any configurations you create for external authentication providers. If you enable LDAP or Active Directory authentication and then upgrade Oracle VM Manager, you must complete the following steps after the upgrade to re-enable authentication.

1. Open the Oracle WebLogic Server Administration Console at:

   https://hostname:7002/console

   Where hostname is the Oracle VM Manager hostname or IP address.

2. Log in as the weblogic user.

3. Click Lock & Edit to modify the domain.

4. From the Domain Structure pane, select Security Realms, and then select myrealm.

   The settings page for the security realm displays.

5. Select the Providers tab and locate the Authentication Providers table.

6. Click New to create an authentication provider.

7. Specify a name for the authentication provider, select LDAPAuthenticator as the type of authentication provider, and then click OK.

   The new authentication provider displays in the Authentication Providers table.

8. Change the authentication sequence so that the LDAP authentication provider takes priority over other authentication providers.

   1. Click Reorder from the Authentication Providers table.

   2. Move the LDAP authentication provider to the top of the list and then click OK.

9. Select the LDAP authentication provider you created from the Authentication Providers table.

   The settings page displays.

10. On the Common tab, select SUFFICIENT as the value for Control Flag and then click Save.

11. Select the Provider Specific tab, configure the authentication provider as appropriate, and then click Save.

12. Click Activate Changes to apply your changes.

13. Restart the Oracle VM Manager service as root:

    # service ovmm restart

Verify that the LDAP authenticator is configured and that the LDAP users and groups are populated in Oracle WebLogic Server, as follows:

1. Log in to the Oracle WebLogic Server Administration Console.

2. From the Domain Structure pane, select Security Realms, and then select myrealm.

3. Select the Users and Groups tab.

4. Verify that the LDAP users and groups are populated as appropriate.

Copyright © 2014, 2022 Oracle and/or its affiliates. Legal Notices