EMCTL Security Commands
This section explains the EMCTL security commands.
The topics covered in this section are:
EMCTL Secure Commands
Table 27-6 lists the general EMCTL security commands.
Table 27-4 EMCTL Secure Commands
EMCTL Command | Description |
---|---|
|
Sets up the SSL configuration for the HTTPS console port of the OMS. |
|
Locks the OMS upload and console, thereby avoiding HTTP access to the OMS. The The The |
|
Unlocks the OMS upload and console thereby allowing HTTP access to the OMS. The The The |
|
Creates a new Certificate Authority (CA) which is used to issue certificates during subsequent securing of OMS and Management Agents. |
|
Adds a new Management Agent registration password. |
|
Verifies if the Management Repository is up. |
|
Re-creates the Administrator Credentials wallet. |
|
The |
|
The |
The parameter descriptions for the above commands are explained below.
-
-host:
Indicates the Software Load Balancer (SLB) or virtual host name. -
-ms_hostname:
Indicates the actual host name of the machine where the OMS is running. -
-slb_port:
Indicates the HTTPS port configured on SLB for uploads. -
-slb_console_port:
Indicates the HTTPS port configured on SLB for console access. -
-no_slb:
Removes the SLB configuration. -
-secure_port :
Specifies the HTTPS upload port change on WebTier. -
-upload_http_port:
Specifies the HTTP upload port change on WebTier. -
-reset:
Creates new CA. -
-force_newca:
Forces OMS to secure with the new CA, even when there are Management Agents secured with the older CA. -
-console:
Creates a certificate for console HTTPS port as well. -
-lock_upload:
Locks upload. -
-lock_console:
Locks console. -
-unlock_upload:
Unlocks upload. -
-unlock_console:
Unlocks console. -
-wallet:
Indicates the directory where the external wallet is located. -
-trust_certs_loc:
Indicates the file containing all the trusted certificates. -
-key_strength:
512|1024|2048 -
-sign_alg:
Signature Algorithm; md5|sha1|sha256|sha384|sha512. -
-cert_validity:
Indicates the number of days the certificate should be valid. The minimum value is 1 and the maximum value is 3650. -
-protocol:
Indicates the SSL protocol to be used on WebTier. The valid values for<protocol>
are the allowed values for Apache's SSL protocol directive. -
-jks_loc:
Indicates the location of JKS containing the custom certificate for administrator and managed servers. -
-jks_pvtkey_alias:
Indicates the JKS private key alias. -
-jks_pwd:
Indicates the JKS key store password. -
-jks_pvtkey_pwd:
Indicates the JKS private key password. -
-wallet:
Indicates the location of the wallet containing the custom certificate for administrator and managed servers. -
-use_demo_cert:
Configures the demonstration certificate for administrator and managed servers.
Security diagnostic commands
Table 27-5 lists the EMCTL security diagnostic commands.
Table 27-5 EMCTL Security Diagnostic Commands
EMCTL Command | Description |
---|---|
|
Diagnoses the connectivity issues to the specified URL. The parameter descriptions are as follows:
|
|
Displays the trust certificates stored in the specified repository. |
|
Displays the trust certificates present in the specified key store, or wallet, or base64 file. |
EMCTL EM Key Commands
Table 27-6 lists the EMCTL EM Key commands.
Table 27-6 EMCTL EM Key Commands
EMCTL Command | Description |
---|---|
|
Displays the health or status of the |
|
Copies the |
|
Removes the |
|
Copies the |
|
Copies the |
|
Copies the |
|
Copies the |
Configuring Authentication
This section explains the EMCTL commands for configuring authentications.
The commands covered in this section are:
The parameter descriptions for all these commands are as below:
-
-enable_auto_provisioning:
Enables automatic-provisioning in EM, wherein external LDAP users need not be provisioned manually in EM. -
-auto_provisioning_minimum_role <min_role>:
Automatically provisions only those external users in EM who have themin_role
granted to them in LDAP. -
-minimum_privilege <min_priv>:
Prevents access to EM to users who do not have themin_priv
granted to them. -
-use_ssl:
Indicates the SSL to connect to the LDAP server. -
-cert_file <cert>:
Indicates the LDAP server certificate to establish trust while connecting to LDAP server over SSL. Specify this option if the LDAP server has the certificate signed by a non-popular (or non-trusted) certificate authority.Note:
This parameter accepts only a single certificate. Importing certificate chains is not supported. Import the certificate using
keytool
utility before running this command. -
-trust_cacerts:
Establishes trust to the LDAP server's certificate while connecting to the LDAP server. This parameter is typically used if the certificate is signed by a well known certificate authority. -
-keystore_pwd <passwd>:
Indicates the password for the defaultDemoTrust.jks keystore
(if the default password has changed), or any customkeystore
to which the LDAP server's certificate will be imported as a part of validation. -
-use_anonymous_bind:
Uses anonymous bind to connect to LDAP server.
Configuring OSSO Authentication
EMCTL OSSO authentication command configures the Enterprise Manager to use the Oracle Application Server Single Sign-On to register any single sign-on user as an Enterprise Manager administrator. The EMCTL command to configure OSSO authentication is:
emctl config auth sso -ossoconf <conf file loc> -dasurl <DAS URL> [-unsecure] [-sysman_pwd <pwd>] [-domain <domain>] -ldap_host <ldap host> -ldap_port <ldap port> -ldap_principal <ldap principal> [-ldap_credential <ldap credential>] -user_base_dn <user base DN> -group_base_dn <group base DN> [-logout_url <sso logout url>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-use_anonymous_bind] [-keystore_pwd <passwd>]
For example, emctl config auth sso -ossoconf $T_WORK/osso.conf -dasurl "http://xxx.oracle.com:11" -sysman_pwd sysman -ldap_host xxx.oracle.com -ldap_port 111 -ldap_principal cn=orcladmin -ldap_credential ackdele1 -user_base_dn "cn=Users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=Groups,dc=us,dc=oracle,dc=com" -logout_url "http://xxx.oracle.com:11/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https//xyy.oracle.com:216/em.
Configuring OAM Authentication
Oracle Access Manager authentication is the Oracle Fusion Middleware single sign-on solution. This authentication scheme is used for data centers that have standardized on Oracle Access Manager as the central tool for authentication across all enterprise applications. The EMCTL command to configure OAM authentication is:
emctl config auth oam [-sysman_pwd <pwd>] -oid_host <host> -oid_port <port> -oid_principal <principal> [-oid_credential <credential>] [-use_anonymous_bind] -user_base_dn <dn> -group_base_dn <dn> -oam_host <host< -oam_port <port> [-logout_url <url>] [-is_oam10g] [-user_dn <dn>] [-group_dn <dn>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-keystore_pwd <passwd>]
For example, emctl config auth oam -oid_host "xxx.oracle.com" -oid_port "111" -oid_principal "cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=groups,dc=us,dc=oracle,dc=com" -oam_host "xxx.oracle.com" -oam_port "555" -oid_credential "eldleco1" -sysman_pwd "sysman" -logout_url http://xxx.oracle.com:23716/oam/server/logout?end_url=https://yyy.oracle.com:5416/em -enable_auto_provisioning -auto_provisioning_minimum_role “EM_DBA".
Configuring LDAP (OID and AD) Authentication
The EMCTL command for configuring OID authentication is as below. For AD, replace the command syntax emctl config auth oid
below with emctl config auth ad.
All other parameters remain the same.
OID authentication command configures the Oracle Internet Directory as the identity store for all the applications to authenticate it's users against the OID.
Similarly, AD authentication command configures the Microsoft Active Directory as the identity store for all the applications to authenticate it's users against the AD.
emctl config auth oid -ldap_host <ldap host> -ldap_port <ldap port> -ldap_principal <ldap principal> [-ldap_credential <ldap credential>] [-sysman_pwd <pwd>] -user_base_dn <user base DN> -group_base_dn <group base DN> [-user_dn <dn>] [-group_dn <dn>] [-enable_auto_provisioning] [-auto_provisioning_minimum_role <min_role>] [-minimum_privilege <min_priv>] [-use_ssl] [-cert_file <cert>] [-trust_cacerts] [-use_anonymous_bind] [-keystore_pwd <passwd>]
For example, emctl config auth oid -ldap_host "xxx.oracle.com" -ldap_port "111" -ldap_principal "cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=groups,dc=us,dc=oracle,dc=com" -ldap_credential "elecmee1" -sysman_pwd "sysman" –use_ssl –cert_file “/scratch/oidcert.txt".