2 Security Features

2.1.3.1 Removing Oracle Access Manager Single Sign-On

To remove SSO configuration, run emctl config auth repos command. This will remove the Weblogic providers that were configured with emctl config auth oam command and the OMS properties as well.

2.1.3.2 Oracle Single Sign-On (SSO) Based Authentication

If you are currently using Oracle Application Server Single Sign-On (Oracle SSO) to control access and authorization for your enterprise applications, you can extend those capabilities to the Enterprise Manager console.

By default, Enterprise Manager displays the main logon page. However, you can configure Enterprise Manager so it uses Oracle Application Server Single Sign-On to authenticate your Enterprise Manager users. Instead of seeing the Enterprise Manager logon page, users will see the standard Oracle Application Server Single Sign-On logon page. From the logon page, administrators can use their Oracle Application Server Single Sign-On credentials to access the Oracle Enterprise Manager 12c Cloud Control console.

The following sections describe how to configure Enterprise Manager as an Oracle Application Server Single Sign-On Partner Application:

• Registering Enterprise Manager as a Partner Application

• Removing Single Sign-On Configuration

• Registering Single Sign-On Users as Enterprise Manager Administrators

• Bypassing the Single Sign-On Logon Page

emcli create_user
         -name="new_admin"
         -email="first.last@oracle.com;joe.shmoe@shmoeshop.com"
         -roles="public"
         -privilege="view_job;923470234ABCDFE23018494753091111"
         -privilege="view_target;<host>.com:host" 

emcli create_user
         -name="User1"
         -type="EXTERNAL_USER"
         -input_file="privilege:/home/user1/priv_file"

         Contents of priv_file are:
           view_target;<host>.com:host

emcli create_user
         -name="User1"
         -desc="This is temp hire."
         -prevent_change_password="true"
         -profile="MGMT_ADMIN_USER_PROFILE"

emcli create_user
         -name="User1"
         -desc="This is temp hire."
         -expire="true" 

2.1.4.1 Registering Enterprise Users (EUS Users) as Enterprise Manager Users

After you have configured Enterprise Manager to use Enterprise Users (EUS), you can register existing enterprise users as Enterprise Manager Users and grant them the necessary privileges so that they can manage Enterprise Manager effectively.

You can register existing enterprise users by using:

• Enterprise Manager Console

• Enterprise Manager Command Line Interface (EM CLI)

emcli create_user -name=eususer -type=DB_EXTERNAL_USER

2.1.7.1 Bypassing the Single Sign-On Logon Page

If the OMS is configured with SSO or OAM or some other authentication method, you may want to by-pass the Single Sign-On or OAM authentication under certain circumstances.To bypass the SSO logon page, connect to the following URL:

1. Connect to https://ms_host:ms_https_port/em

   ms_host & ms_https_port are WLS-managed server's hostname & port#. These parameters can be found in the EM_INSTANCE_HOME/emgc.properties file. They are listed as EM_INSTANCE_HOST & MS_HTTPS_PORT in this file.

2. Log in using a repository user's credentials.

2.1.7.2 Restoring the Default Authentication Method

1. Run the following command on each OMS:

   emctl config auth repos [-sysman_pwd <pwd>]

   Sample command output:

   Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.3.0
   Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
   Configuring Repos Authentication ... Started
   Configuring Repos Authentication ... Successful
   If you have updated files like httpd.conf (for example, while installing WebGate), rollback them.
   If this is a multi-OMS environment, execute this command on remaining servers.
   After that, restart OMS(s) using: 'emctl stop oms -all' and 'emctl start oms'
   

2. Run the following commands on each OMS:

   emctl stop oms -all

   emctl start oms

If you have configured OAM SSO, you need to manually un-install Webgate and remove the Webgate directives from Apache httpd.conf.

If you have configured with OSSO, you need to manually remove the OSSO directives from httpd.conf.

2.1.11.1 Configuring Single Sign-on based Authentication

This section covers the following topics:

• Configuring Single-Sign-on with Oracle Access Manager 10g

• Configuring Single-Sign-on with Oracle AS SSO 10g

emcli create_user
         -name="new_admin"
         -email="first.last@oracle.com;joe.shmoe@shmoeshop.com"
         -roles="public"
         -privilege="view_job;923470234ABCDFE23018494753091111"
         -privilege="view_target;<host>.com:host" 

emcli create_user
         -name="User1"
         -type="EXTERNAL_USER"
         -input_file="privilege:/home/user1/priv_file"

         Contents of priv_file are:
           view_target;<host>.com:host

emcli create_user
         -name="User1"
         -desc="This is temp hire."
         -prevent_change_password="true"
         -profile="MGMT_ADMIN_USER_PROFILE"

emcli create_user
         -name="User1"
         -desc="This is temp hire."
         -expire="true" 

2.1.12.1 Registering Enterprise Users as Enterprise Manager Users

After you have configured Enterprise Manager to use Enterprise Users, you can register existing enterprise users as Enterprise Manager Users and grant them the necessary privileges so that they can manage Enterprise Manager effectively.

You can register existing enterprise users by using:

• Enterprise Manager Graphic User Interface

• Enterprise Manager Command Line Interface

emcli create_user -name=eususer -type=DB_EXTERNAL_USER

2.1.13.1 Bypassing the Single Sign-On Logon Page

If the OMS is configured with SSO or OAM or some other authentication method, you may want to by-pass the Single Sign-On or OAM authentication under certain circumstances.To bypass the SSO logon page, connect to the following URL:

1. Connect to https://ms_host:ms_https_port/em

   ms_host & ms_https_port are WLS-managed server's hostname & port#. These parameters can be found in the EM_INSTANCE_HOME/emgc.properties file. They are listed as EM_INSTANCE_HOST & MS_HTTPS_PORT in this file.

2. Log in using a repository user's credentials.

2.1.13.2 Restoring the Default Authentication Method

1. Run the following command on each OMS:

   emctl config auth repos [-sysman_pwd <pwd>]
   

   Sample command output:

   Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.3.0
   Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
   Configuring Repos Authentication ... Started
   Configuring Repos Authentication ... Successful
   If you have updated files like httpd.conf (for example, while installing WebGate), rollback them.
   If this is a multi-OMS environment, execute this command on remaining servers.
   After that, restart OMS(s) using: 'emctl stop oms -all' and 'emctl start oms'
   

2. Run the following commands on each OMS:

   emctl stop oms -all
   emctl start oms
   

2.2.3.1 Granting Privileges

A privilege is a right to perform management actions within Enterprise Manager. Privileges can be divided into two categories:

• Target Privileges

• Resource Privileges

Target Privileges: These privileges allow an administrator to perform operations on a target. As such, there is a defined hierarchy privilege hierarchy the categorizes target privileges into the following levels:

• FULL: Highest level that includes OPERATOR and VIEW

• OPERATOR: Medium level that permits specific management actions. OPERATOR privilege is also an example of a privilege that can include other privileges. For example, OPERATOR privileges include blackout privileges, and any user granted an OPERATOR target privilege is automatically granted the Blackout Target privilege. See Table 2-3, "Target Privileges Applicable to Specific Targets" for more information.

• VIEW: Lowest level permitting only view access to targets.

There are 2 types of target privileges:

• Privileges applicable to all targets. These privileges allow administrators to perform operations on all components with the Enterprise Manager infrastructure.

• Privileges that are specific to a particular target instance.

The Target Privileges page shows a list of targets for which privileges can be granted.

Resource: These privileges allow a user to perform operations against specific types of resources. The following table lists all available resource privileges.

2.2.3.2 Creating Roles

A role is a collection of Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. These roles can be based upon geographic location (for example, a role for Canadian administrators to manage Canadian systems), line of business (for example, a role for administrators of the human resource systems or the sales systems), or any other model. Administrators do not want to perform the task of individually granting access to tens, hundreds, or even thousands of targets to every new member of their group.By creating roles, an administrator needs only to assign the role that includes all the appropriate privileges to his team members instead of having to grant many individual privileges. He can divide workload among his administrators by filtering target access, or filtering access to management task, or both. You can also configure Enterprise Manager to work with an external authentication provider to manage authorization as well by using external roles. For more information, see "External Authorization using External Roles".

Out-of-Box Roles: Enterprise Manager Cloud Control 12c comes with predefined roles to manage a wide variety of resource and target types. The following table lists some of the roles along with their function.

Public Role: Enterprise Manager creates one role by default called Public. This role is unique in that it is automatically assigned to all new non-super administrators when they are created. By default it has no privileges assigned to it. The Public role should be used to define default privileges you expect to assign to a majority of non-super administrators you create. Privileges need not be assigned to Public initially - they can be added at any time. The role may be deleted if your enterprise does not wish to use it. If deleted, it can be added back in later if you later decide to implement it.

2.2.3.3 Using Roles to Manage Privileges

Privileges are ultimately granted to administrators to enable them to manage targets in Enterprise Manager. While you can grant specific privileges to individual administrators, tracking and granting privileges on many targets across many administrators easily becomes error-prone and an administrative burden in itself. Our recommendation is to define and use roles to manage the granting of privileges to administrators. A role is a user-defined set of privileges typically containing the set of privileges that you want to grant to a team of users. A role can contain other roles as well. For example, you can create a First Line Support role containing the privileges needed for the administrators to view and manage incidents on targets. Once this role is created, you can grant this role to the appropriate administrators who will manage these incidents as part of their job responsibility. If you need to change the set of privileges for your administrators, e.g. add new privileges or remove privileges, then all you need to do is update the role. The updated set of privileges in the role is automatically enabled for the administrators to whom the role has been granted. Likewise if new administrators are added, all you need to do is grant them the appropriate role(s) instead of granting them individual privileges.

Using roles is one big step towards managing privileges. However, there is still the challenge of having to keep the role updated with privileges on new targets as they are added to Enterprise Manager. Privilege-propagating groups are meant to address this challenge and will be discussed next.

2.2.4.1 Example1: Granting various teams different levels of access to target groups

Consider a collection of Database Instances and WebLogic Servers within an organization are managed by separate teams within the organization. Both teams are using Enterprise Manager to manage their targets.The DBAs want full access privileges to their Database Instances and view privileges on the WebLogic Servers. Similarly, the WebLogic Server administrators want full privileges on the WebLogic Servers and view privileges on the Database Instances.

To manage privileges across the two teams, first create two privilege propagating groups containing the targets of the respective teams. For example, you can create a target group called DBAGroup containing the database Instances and another target group called WLSGroup containing the Oracle WebLogic Servers. DBAGroup contains the Database Instances that can be modified and managed by DBAs. While the WLSGroup is a group of Web Logic Servers modified and managed by the Web Logic Server administrators . Additionally, the DBAs want to view the Web Logic Server targets and the Web Logic Server technicians want to view the Database Instances. The following steps will show how to set up these target groups, privileges and roles, and how to grant the appropriate roles to the correct Administrator.

Here are the steps to follow:

1. Create a target group. On the console go to Targets->Groups from the drop down menu.

   
   

2. Click "Create" from the menu and select "Group" from the drop down menu.

   
   

3. Enter the name DBAGroup.

   Enable "Privilege Propagation" group, by checking the box. This allows Administrators to do a one-time grant of privileges on a group to a user and that privilege will automatically be propagated (or applied) to each member of that group.

4. Add the database targets you want to add to the new database group, DBAGroup. This is done by hitting the "Add" button, selecting the Database Instance targets from the list. Hit the "Select" button.

   
   

5. Select "OK".

   
   

6. Your new group, DBAGroup, should be displayed in the list of available groups.

   
   

7. Now create a second privilege propagating group, by repeating the steps 1-6, calling it WLSGroup, and adding the appropriate WebLogice Server targets to this group.

8. Your second group WLSGroup, should be displayed in the list of available groups.

   
   

9. Next, create the Roles. A role contains privileges that can be granted to an administrator. Proceed to the Roles page. Go to the Setup->Security->Roles page. As in the snapshot below.

   
   

10. Click "Create" button.

    
    

11. On the Properties page, type the name of your role. In this example we have named it DBA-ROLE. This Role will contain privileges for the DBA team. It will contain Full privilege on all database Instances in the DBAGroup and view privilege on all Web Logic Server Instances in the WLSGroup. Hit the "Next" button.

    
    

12. Click "Next" on the "Roles" page.

    
    

13. On the "Target Privileges" page, scroll down to the "Target Privileges" section, at the bottom of the page. Click the "Add" button. The list of available targets is displayed. Select the "Group" Target Type, to improve the search. Select the two groups we just created, DBAGroup and WLSGroup.

    
    

14. Our two groups will be displayed. For this role, DBA-ROLE, we want to grant "Full" on all databases in the DBAGroup and grant "View" on all WebLogic server targets in the WLSGroup. As the default privilege is "View" we need only modify the DBAGroup privilege for this Role, leaving the WLSGroup, with the default "View" privilege. This is done by selecting the pencil icon, to the right of "View" in the "Manage Target Privilege Grants" column. Hit the "Continue" button.

    
    

15. Click the privilege "Full", select the "Continue" button.

    
    

16. The new privilege will be displayed. Select the "Next" button.

    
    

17. Select the "Next" button on the Resource Privilege page.

    
    

18. Select the Administrators you want to grant this role, DBA-ROLE too. Select the "Next" button.

    
    

19. Review the setting of your new role DBA-ROLE.

    
    

20. Next we create our second Role, WLS-ROLE. This Role will allow users granted this role full privilege on all the WebLogic Servers in WLSGroup and view privilege on all Database Instances in the DBAGroup. Repeat Steps 10-19, naming our second Role WLS-ROLE. Proceed to the review page, as displayed below.

    
    

2.2.4.2 Example2: Granting developers view access to target database instances.

Datacenters would often like to provide application developers read-only access to database performance pages in Enterprise Manager in order for them to get firsthand information on the impact of their applications on the underlying database. The DBAs responsible for these databases want to grant these developers read-only access to these database performance pages and restrict them from doing any write operations on the database. The DBAs may not want to share database user account information with the developers nor create individual user accounts on every Database Instance.

You can use the 'Connect Target Read-Only' privilege to enable read-only access to a target. To manage the granting of this privilege across many databases to a team of developers, you can create a privilege propagating group, and add the Database Instances to this target group, calling it, for example DevGroup. You create a role, for example DEV-ROLE and grant the privilege, "Connect Target Read-Only" on his Role, in doing so, you assign this Role to each Developer, granting him access to the performance data in those Database Instances. As these engineers do not have individual user accounts on each Database Instance we will create a Named Credential, call it DevCred which contains database user credentials and we will assign this Named Credential to each Developer needing access to the performance data in the Database Instances. The following steps will show you how to set up the target group and assign Roles and Named Credentials to this group.

Here are the steps to follow:

1. Create a group of targets. On the console go to Targets->Groups from the drop down menu.

   
   

2. Click "Create" and select "Group" from the drop down menu.

   
   

3. Enter the name of your new target group, for this User Case we shall call it DevGroup.

4. Enable "Privilege Propagation" group, by checking the box. This allows Administrators to do a one-time grant privileges on a group to a user and have that privilege be automatically propagated (or applied) to each member of that group. Add the database Targets you want to add to the group. This is done by hitting the "Add" button and selecting the Targets from the list.

   
   

5. Select "OK".

6. The new target group, DevGroup, is displayed in the list of available groups.

   
   

7. Next, create a view only Role for the Target DevGroup. A Role is a privilege that is granted to an Administrator. Proceed to the Roles page, go to the Setup->Security->Roles page. As indicated below.

   
   

8. Click "Create" button.

9. On the properties page, type the name of the new Role, DEV-ROLE, hit the "Next" button.

   
   

10. Click "Next" on the "Roles" page.

    
    

11. On the "Target Privileges" page, scroll down to the "Target Privileges" section, at the bottom of the page. Click the "Add" button. The available targets are displayed. Select the "Group" Target Type, to improve the search. Select the group we just created, DevGroup. Hit the "Select" button.

    
    

12. The target group is displayed. For this role, DEV-ROLE, we want to grant "Connect Target Read-Only" on all databases in the DevGroup. This is done by selecting the pencil icon, to the right of "View" in the "Manage Target Privilege Grants" column.

    
    

13. Click the privilege "Connect Target Read-Only", scroll to the bottom of the page. Select the "Continue" button.

    
    

14. The new privilege is displayed. Select the "Next" button

    
    

15. Select the "Next" button on the Resource Privilege page.

    
    

16. Select the Administrators you want to grant this role, DEV-ROLE too. Select the "Next" button.

    
    

17. Review the setting of your new role DEV-ROLE.

    
    

18. Next we will create a Named Credential. In this case a Named Credential contains the database credentials used to log on to the database. It will be used by the developer to access the database performance pages in Enterprise Manager. Follow the link "Setup"->"Security"->"Named Credential".

    
    

19. Hit the "Create" button.

    
    

20. Enter the Username and Password information that this Named Credential will use to log onto the database. We have selected the following information:

    Credential name: DevCred

    Authenticating Target Type: Database Instance -For this Use Case, we are interested in granting access to the development engineers the database Instances in the DevGroup.

    Credential Type: Database Credentials - For this Use Case, we are supplying the username and password for the target Type specified above.

    Scope: Global - For this User Case, this username and password will apply to every Database. Hit the "Test and Save" button.

    
    

21. Enter a valid "Test Target Name", and hit the "Test and Save" button.

    
    

22. Our new Named Credential will be displayed. To Grant this Named Credential to a one of the development Engineers, hit the "Manage Access" button.

    
    

23. Hit the "Add Grant" button.

    
    

24. Select the Development Engineers you wish to use this Named Credential. Hit the "Select" button.

    
    

25. The User information will be displayed at the bottom of the page. More users may be added, if desired.

    
    

26. When this Development Engineer logs into Enterprise Manager they will have access to view necessary data, such as performance information. However, as expected, they are unable to perform any write operation to the databases. If the user does attempt to perform a write operation on any database, the following error will be displayed in Enterprise Manager.

    
    

2.2.4.3 Entitlement Summary

The Administrators Entitlement page displays all the privileges and roles granted to that Administrator. This page also summarizes an Administrators access to targets as well as displaying the named credentials and secure resources owned by that Administrator. The following fiture shows an example of the Enterprise Manager Administrator Entitlement page. You can access this page by clicking on the dropdown menu, beside the Administrators name, and clicking Entitlement Summary.

Figure 2-5 Entitlement Summary Page

2.3.2.1 Configuring the OMS with Server Load Balancer

When you deploy a Management Service that is available behind a Server Load Balancer (SLB), special attention must be given to the DNS host name through which the Management Service will be available. Although the Management Service may run on a particular local host, for example myhost.mycompany.com, your Management Agents will access the Management Service using the host name that has been assigned to the Server Load Balancer. For example, oracleoms.mycompany.com.

As a result, when you enable Enterprise Manager Framework Security for the Management Service, it is important to ensure that the Server Load Balancer host name is embedded into the Certificate that the Management Service uses for SSL communications. This may be done by using emctl secure oms and specifying the host name using an extra -host parameter as shown below.

• Enable security on the Management Service by entering the following command:

  emctl secure oms -host <slb_hostname> [-slb_console_port <slb UI port>] [-slb_port <slb upload port>] [other params]

  Run this command on each OMS. You will need to restart each OMS after running the 'emctl secure oms' command.

• Create virtual servers and pools on the Server Load Balancer.

• Verify that the console can be accessed using the following URL:

  https://slbhost:slb_console_port/em

• Re-secure the Agents with Server Load Balancer by using the following command:

  emctl secure agent -emdWalletSrcUrl <SLB Upload or UI URL>

  For example:

  Agent_Home/bin/emctl secure agent -emdWalletSrcUrl https://slbost:slb_upload_port/em

2.3.2.2 Enabling Security with Multiple Management Service Installations

As you have already established at least one Agent Registration Password and a Root Key in your Management Repository, they must be used for your new Management Service. Your secure Management Agents can then operate against either Management Service.

All the registration passwords assigned to the current Management Repository are listed on the Registration Passwords page in the Oracle Enterprise Manager 12c Cloud Control console.

If you install a new Management Service that uses a new Management Repository, the new Management Service is considered to be a distinct enterprise. There is no way for the new Management Service to partake in the same security trust relationship as another Management Service that uses a different Management Repository. Secure Management Agents of one Management Service will not be able to operate against the other Management Service.

2.3.2.3 Creating a New Certificate Authority

You may need to create a new Certificate Authority (CA) if the current CA is expiring, if you want to change the key strength, or if you want to change the signature algorithm. A unique identifier is assigned to each CA. For instance, the CA created during installation may have an identifier as ID 1, subsequent CAs will have the IDs 2,3, and so on. At any given time, the last created CA is active and issues certificates for OMSs and Agents.

1. Run the emctl secure createca command on one of the OMS machines.

2. If there are multiple OMSs in your environment, copy <EM_Instance_Home>/sysman/config/b64LocalCertificate.txt from the machine on which emctl secure createca was run to all other OMS machines at the same location i.e <EM_Instance_Home>/sysman/config/b64LocalCertificate.txt

3. Restart all the OMSs.

emctl secure createca [-sysman_pwd <pwd>] [-host <hostname>] [-key_strength <strength>] [-cert_validity <validity>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>] [-sign_alg <md5|sha1|sha256|sha384|sha512>] [-cert_validity <validity>]
Oracle Enterprise Manager 12c Release 3 Cloud Control
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
Creating CA... Started.
Successfully created CA with ID 2

emcli get_ca_info -ca_id="1;2" -details
Info about CA with ID: 1
CA is not configured
DN: CN=myhost.example.com, C=US
Serial# : 3423643907115516586
Valid From: Tue Mar 16 11:06:20 PDT 2011
Valid Till: Sat Mar 14 11:06:20 PDT 2020
Number of Agents registered with CA ID 1 is 1
myhost.mydomain.com:3872

Info about CA with ID: 2
CA is configured
DN: CN=myhost.example.com, C=US, ST=CA
Serial# : 1182646629511862286
Valid From: Fri Mar 19 05:17:15 PDT 2011
Valid Till: Tue Mar 17 05:17:15 PDT 2020
There are no Agents registered with CA ID 2

2.3.2.4 Viewing the Security Status and OMS Port Information

To view the security status and OMS port information, use the following command

Oracle Enterprise Manager Cloud Control 12c Release 3
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Console Server Host : mymachine.oracle.com
HTTP Console Port : 7802
HTTPS Console Port : 5416
HTTP Upload Port : 7654
HTTPS Upload Port : 4473
EM Instance Home : /ade/myadmin_txn48/oracle/work/em/EMGC_OMS1
OMS Log Directory Location : /ade/myadmin_txn48/oracle/work/em/EMGC_OMS1/sysman/log
OMS is not configured with SLB or virtual hostname
Agent Upload is locked.
OMS Console is unlocked.
Active CA ID: 2
Console URL: https://mymachine.oracle.com:5416/em
Upload URL: https://mymachine.oracle.com:4473/empbs/upload
 
WLS Domain Information
Domain Name : EMGC_DOMAIN
Admin Server Host : mymachine.oracle.com
Admin Server HTTPS Port: 7022
Admin Server is RUNNING
 
Managed Server Information
Managed Server Instance Name: EMGC_OMS1
Managed Server Instance Host: mymachine.oracle.com
WebTier is Up
Oracle Management Server is Up

2.3.2.5 Configuring Transport Layer Security

The Oracle Management Service can be configured in the following modes:

• TLSv1-only mode: To configure the OMS to use only TLSv1 connections, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms -protocol TLSv1
     

  3. Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in <Domain_Home>/bin/startEMServer.sh/<sh/cmd>. If this property already exists, update the value to TLS1. Use startEMServer.sh or startEMServer.cmd depending on your platform.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

• SSLv3 Only Mode: To configure the OMS to accept SSLv3 connections only, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms -protocol SSLv3
     

  3. Append -Dweblogic.security.SSL.protocolVersion=SSL3 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh or startEMServer.cmd on Windows. If this property already exists, update the value to SSL3.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

• Mixed Mode: To configure the OMS to use both SSLv3 and TLSv1 connections, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms
     

  3. Append -Dweblogic.security.SSL.protocolVersion=ALL to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh. If this property already exists, update the value to ALL.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

2.3.4.1 Using the Cloud Control Console to Manage Agent Registration Passwords

You can use the Cloud Control Console to manage your existing registration passwords or create additional registration passwords:

1. From the Setup menu, select Security, then select Registration Passwords.

2. Enterprise Manager displays the Registration Passwords page (Figure 2-6). Registration password specified during install appears in the Registration Passwords table with description <Initial Agent Registration Password>.

3. Use the Registration Passwords page to change your registration password, create additional registration passwords, or remove registration passwords associated with the current Management Repository.

Figure 2-6 Managing Registration Passwords in the Cloud Control Console

When you create or edit an Agent Registration Password on the Registration Passwords page, you can determine whether the password is persistent and available for multiple Management Agents or to be used only once or for a predefined period of time.

For example, if an administrator requests to install a Management Agent on a particular host, you can create a one-time-only password that the administrator can use to install and configure one Management Agent.

On the other hand, you can create a persistent password that an administrator can use for the next two weeks before it expires and the administrator must ask for a new password.

2.3.4.2 Using emctl to Add a New Agent Registration Password

To add a new Agent Registration Password, use the following emctl command on the machine on which the Management Service has been installed:

emctl secure setpwd [sysman pwd] [new registration pwd]

The emctl secure setpwd command requires that you provide the password of the Enterprise Manager super administrator user, sysman, to authorize the addition of the Agent Registration Password.

As with other security passwords, you should change the Agent Registration Password on a regular and frequent basis to prevent it from becoming too widespread.

2.3.6.1 About Oracle Advanced Security and the sqlnet.ora Configuration File

You enable security for the Management Repository by using Oracle Advanced Security. Oracle Advanced Security ensures the security of data transferred to and from an Oracle database.

To enable Oracle Advanced Security for the Management Repository database, you must make modifications to the sqlnet.ora configuration file. The sqlnet.ora configuration file is used to define various database connection properties, including Oracle Advanced Security parameters.

The sqlnet.ora file is located in the following subdirectory of the Database home:

<OMS_ORACLE_HOME>/network/admin

After you have enabled Security for the Management Repository and the Management Services that communicate with the Management Repository, you must also configure Oracle Advanced Security for the Management Agent by modifying the sqlnet.ora configuration file in the Management Agent home directory.

It is important that both the Management Service and the Management Repository are configured to use Oracle Advanced Security. Otherwise, errors will occur when the Management Service attempts to connect to the Management Repository. For example, the Management Service might receive the following error:

ORA-12645: Parameter does not exist

To correct this problem, be sure both the Management Service and the Management Repository are configured as described in the following sections.

2.3.6.2 Configuring the Management Service to Connect to a Secure Management Repository Database

If you have enabled Oracle Advanced Security for the Management Service database—or if you plan to enable Oracle Advanced Security for the Management Repository database—use the following procedure to enable Oracle Advanced Security for the Management Service:

1. Stop the Management Service:

   <OMS_ORACLE_HOME>/bin/emctl stop oms
   

2. Set Enterprise Manager operational properties by using the emctl set property command. The following table shows the emoms properties that must be set.

   Table 2-6  Oracle Advanced Security Properties in the Enterprise Manager Properties

   Property	Description
   oracle.sysman.emRep.dbConn.enableEncryption	Defines whether or not Enterprise Manager will use encryption between Management Service and Management Repository.Possible values are TRUE and FALSE. The default value is TRUE.For example: emctl set property -name 'oracle.sysman.emrep.dbConn.enableEncryption" -value 'true'
   oracle.net.encryption_client	Defines the Management Service encryption requirement.Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.The default value is REQUESTED. In other words, if the database supports secure connections, then the Management Service uses secure connections, otherwise the Management Service uses insecure connections. For example: oracle.net. encryption_client=REQUESTED
   oracle.net.encryption_types_client	Defines the different types of encryption algorithms the client supports.Possible values should be listed within parenthesis. The default value is ( DES40C ). For example: oracle.net. encryption_types_client=( DES40C )
   oracle.net.crypto_checksum_client	Defines the Client's checksum requirements. Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED. The default value is REQUESTED. In other words, if the server supports checksum enabled connections, then the Management Service uses them, otherwise it uses normal connections. For example: oracle.net. crypto_checksum_client=REQUESTED
   oracle.net.crypto_checksum_types_client	This property defines the different types of checksums algorithms the client supports. Possible values should be listed within parentheses. The default value is ( MD5 ). For example: oracle.net. crypto_checksum_types_client=( MD5 )

   
   

3. Restart the Management Service.

   <OMS_ORACLE_HOME>/bin/emctl start oms
   

2.3.6.3 Enabling Oracle Advanced Security for the Management Repository

To ensure your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available in the Oracle Database documentation library.

The following instructions provide an example of how you can confirm that Oracle Advanced Security is enabled for your Management Repository database and its connections with the Management Service:

1. Locate the sqlnet.ora configuration file in the following directory of the database Oracle Home:

   <OMS_ORACLE_HOME>/network/admin
   

2. Using a text editor, look for the following entries (or similar entries) in the sqlnet.ora file:

   SQLNET.ENCRYPTION_SERVER = REQUESTED
   SQLNET.CRYPTO_SEED = "abcdefg123456789"
   

   See Also:

   "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server 10g Administrator's Guide.

3. Save your changes and exit the text editor.

2.3.6.4 Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database

After you have enabled Oracle Advanced Security for the Management Repository, you must also enable Advanced Security for the Management Agent that is monitoring the Management Repository:

1. Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Management Agent that is monitoring the Management Repository:

   AGENT_HOME/network/admin (UNIX)
   AGENT_HOME\network\admin (Windows)
   

2. Using a text editor, add the following entry to the sqlnet.ora configuration file:

   SQLNET.CRYPTO_SEED = "abcdefg123456789"
   

   The SQLNET.CRYPTO_SEED can be any string between 10 to 70 characters.

   See Also:

   "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server Administrator's Guide.

3. Save your changes and exit the text editor.

4. Restart the Management Agent.

2.3.7.1 Configuring Custom Certificates for WebLogic Server

WebLogic Servers installed as part of Enterprise Manager Cloud control (Administration Server and Managed Servers) are configured with a default identity keystore ( DemoIdentity.jks) and a default trust keystore ( DemoTrust.jks). In addition, WebLogic Server trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment.

Default Demo Certificate configured for WLS has a key length of 512 bits. If Microsoft's Security update for minimum certificate key length (KB2661254) has been applied on the browser m/c, the WebLogic Admin Console will not be accessible on Internet Explorer. If you want to access WebLogic Admin Console using Internet Explorer, please configure custom certificate for WLS.

The following sections step you through configuring custom Weblogic Server certificates:

1. Create a Java KeyStore or Wallet for each OMS

2. Import Custom CA Certificates into the Agents Monitoring Trust Store

3. Configure the Custom Certificate for each WLS

2.3.7.2 Configuring Custom Certificates for OMS Console Access

To configure the third party certificate for HTTPS WebTier Virtual Host:

1. Create a wallet for each OMS in the Cloud. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.

2. Run the following command on each OMS and the restart that OMS:

   emctl secure console -wallet <location of wallet>
   

   Note:

   Only Single-Sign-On (SSO) wallets are supported.

2.3.7.3 Configuring Custom Certificates for OMS Upload Access

You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:

Method I

1. Create a wallet for each OMS in the Cloud.

2. While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.

5. Import the custom CA certificate(s) as trust certificate(s) for Agent by running the following command:

   emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>
   

6. Restart the Agent.

7. Secure the OMS and restart it.

   emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
   

Method 2

1. Create a wallet for each OMS in the Cloud.

2. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Secure the OMS.

   emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
   

5. Restart the OMS.

6. Either re-secure the Agent by running the emctl secure agent command (should be run on all Agents) or import the trust points by running the emctl secure command.

   Note:

   The trusted certs file (trusted_certs.txt) should contain only certificates in base64 format and not any special characters or comments..

2.3.7.4 Configuring Transport Layer Security

The Oracle Management Service can be configured in the following modes:

• TLSv1-only mode: To configure the OMS to use only TLSv1 connections, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms -protocol TLSv1
     

  3. Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh/cmd. If this property already exists, update the value to TLS1.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

• SSLv3 Only Mode: To configure the OMS to use SSLv3 connections only, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms -protocol SSLv3
     

  3. Append -Dweblogic.security.SSL.protocolVersion=SSL3 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh or startEMServer.cmd on Windows. If this property already exists, update the value to SSL3.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

• Mixed Mode: To configure the OMS to use both SSLv3 and TLSv1 connections, do the following:

  1. Stop the OMS by entering the following command:

     <OMS_ORACLE_HOME>/bin/emctl stop oms
     

  2. Enter the following command:

     emctl secure oms
     

  3. Append -Dweblogic.security.SSL.protocolVersion=ALL to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh. If this property already exists, update the value to ALL.

  4. Restart the OMS with the following command:

     <OMS_ORACLE_HOME>/bin/emctl start oms
     

2.3.8.1 emctl secure oms

emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>]
        [-host <hostname>] [-ms_hostname <Managed Server hostname>]
        [-slb_port <SLB HTTPS upload port>] [-slb_console_port <SLB HTTPS console port>] [-no_slb]
        [-secure_port <OHS HTTPS upload Port>] [-upload_http_port <OHS HTTP upload port>]
        [-reset] [-console] [-force_newca]
        [-lock_upload] [-lock_console] [-unlock_upload] [-unlock_console]
        [-wallet <wallet_loc> -trust_certs_loc <certs_loc>]
        [-key_strength <strength>] [-sign_alg <md5|sha1|sha256|sha384|sha512>]
        [-cert_validity <validity>] [-protocol <protocol>]
        [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>]
        [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>]

2.3.8.2 emctl secure agent

2.3.8.3 emctl secure wls

emctl secure wls (-jks_loc <loc> -jks_pvtkey_alias <alias> | -wallet <loc> | -use_demo_cert)
Specify jks_loc,jks_pvtkey_alias or wallet or use_demo_cert
        [-jks_pwd <pwd>] [-jks_pvtkey_pwd <pwd>]
        -jks_loc : Location of JKS containing the custom cert for Admin & Managed Servers
        -jks_pvtkey_alias : JKS's private key alias
        -jks_pwd : JKS's keystore password
        -jks_pvtkey_pwd : JKS's private key password
        -wallet : Location of wallet containing the custom cert for Admin & Managed Servers
        -use_demo_cert: Configure the demo cert for Admin & Managed Servers

2.3.8.4 emctl status oms -details

emctl status oms -details [-sysman_pwd <pwd>]

2.3.9.1 Configuring a Third Party Certificate for HTTPS Console Users

To configure the third party certificate for HTTPS WebTier Virtual Host:

1. Create a wallet for each OMS. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.

2. Run the following command on each OMS and the restart that OMS:

   emctl secure console -wallet <location of wallet>
   

   Note:

   Only single-sign-on wallets are supported.

2.3.9.2 Configuring Third Party Certificate for HTTPS Upload Virtual Host

You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:

Method I

1. Create a wallet for each OMS.

2. While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.

5. Run the add_trust_cert command on each Agent and then restart that Agent.

   emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>
   

6. Secure the OMS and restart it.

   emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
   

Method 2

1. Create a wallet for each OMS in the Cloud.

2. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Restart the OMS after it has been secured.

   emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
   

5. Either re-secure the Agent by running the emctl secure agent command (should be run on all Agents) or import the trust points by running the emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file> command. The -trust_certs_loc parameter must contain the path and the filename of the trusted_certs.txt file.

   Note:

   This file must only contain certificates in base64 format and no special characters or empty lines.

2.5.1.1 Named Credential

Credentials are stored within Enterprise Manager as "named" entities. Administrators define and store credentials within Enterprise Manager and refer to the credential by a credential name. Named credentials permit the following:

• Named credentials can be used across the product.

• Define references

• Because they use a centralized store, password management is simplified.

Named credentials can be a username/password, or a public key-private key pair. An Enterprise Manager administrator can then use the named credential for performing operations like running jobs, patching and other system management tasks. For example, an administrator can store the username and password they want to use for patching as "MyPatchingCreds". He can later submit a patching job that uses "MyPatchingCreds" to patch a production databases.

Typical Scenarios for using Named Credentials

• In datacenters where only senior DBAs have knowledge of higher privileged credential, sys credentials for database, for example, they can store these credentials in named credential and share these with the junior administrators. Junior administrators can perform their jobs using the named credentials without knowing what the actual credentials are.

• In datacenters where administrators have the same credentials for a target. They can create one named credential containing those credentials and share the named credential with appropriate personnel. This simplifies credential maintenance (changing passwords, for example) by elimingating the need to several copies of named credentials containing the same credentials.

https://apex.oracle.com/pls/apex/f?p=44785:24:0::NO:24:P24_CONTENT_ID,P24_PREV_PAGE:5460,1

There are two categories of named credentials:

• Global Named Credential

  A global named credential is an entity, which is not associated with any Enterprise Manager object. Global named credentials consist of the authentication scheme along with any authentication parameters. Because these are independent entities, an Enterprise Manger administrator can associate these credentials with objects at a later time.

• Target Named Credentials

  Target named credential is an entity which are associated with individual targets at the time of creation. This entity will also contain authentication scheme along with authentication parameters for a specific target.

Access Control

The owner of the named credential can share access to the credentials by granting them the appropriate level of privileges. The following privilege levels are available for all credentials:

• VIEW: Administrators with VIEW privilege on a credential will also be able to use the credentials for running jobs, patching and other system management operations within Enterprise Manager. An administrator with VIEW privileges on other administrator's credentials will be able to view the structure and username of the credential. Sensitive information of the credential such as the password will never be shown.

• EDIT: Allows an Enterprise Manager administrator to change a sensitive information such as the password, or the public/private key pair of the credential. The administrator can change both the Authentication Scheme of the credential as well as the username for the credential. The authenticating target type cannot be changed.

• FULL: Allows an Enterprise Manager administrator to change the credential username, sensitive information such as the password or the public/private key pair, and authentication scheme. An administrator with FULL privilege on a named credential will be able to delete the named credential.

Creating Named Credentials

To create or edit a named credential, from the Setup menu, choose Security and then Named Credential. Note: You need Named Credential resource privilege to create named credentials.

Enterprise Manager Administrators will be able to grant privileges to other administrators while creating the credential or by granting the privileges when editing the credential. The Named Credential page displays as shown in the following figure.

Figure 2-8 Named Credentials Page

From the Named Credential page, you can Create a new named credential, Edit an existing credential, Manage Access (grant/revoke privileges), Delete, Test, View References, or click the Query by Example icon to filter the list of named credentials.

Only the credential owner can manage access their credentials. When a credential owner views references, he can see all references even if not owned by him. Whereas a user who does not own the credential, will see only their own references.

Access Control for Named Credentials

The access control model for credentials adhere to the following rules:

• Only credential owners can grant privileges on named credentials they have created to other users.

• Enterprise Manager Super Administrators cannot obtain any privileges on a newly created credential until he is explicitly granted privileges on the credential object.

• Enterprise Manager administrators, regardless of privilege level, cannot see the sensitive fields such as passwords and private keys from the console UI.

• Credentials privileges cannot be assigned to a role. This eliminates back door entry by Enterprise Manager Super Administrators to grant themselves privileges on the credentials for which they do not have explicit access.

• An Enterprise Manager administrator cannot view other administrators' credentials unless an explicit grant is provided. Even Enterprise Manager Super Administrators cannot view other users' credentials.

• Any Enterprise Manager administrator can create his own credentials and have FULL privileges on the credentials owned.

All the credentials owned by an Enterprise Manager administrator will be deleted if that administrator is deleted from Enterprise Manager. Since access to shared credentials is not automatically granted to Super Administrators, re-assigning named credentials belonging to a regular Enterprise Manager administrator by a Super Administrator is not allowed.

2.5.1.2 Monitoring Credentials

These credentials are used by the Management Agent to monitor certain types of targets. For example, most database monitoring involves connecting to the database, which requires a username, password, and optionally, a role. Monitoring credentials, if stored in the repository, can also be potentially used by management applications to connect directly to the target from the OMS.

To create or edit a monitoring credentials, from the Setup menu, choose Security and then Monitoring Credentials. The Monitoring Credentials page displays as shown in the following figure.

Figure 2-9 Monitoring Credentials

To modify monitoring credentials, select the desired target type and click Manage Monitoring Credentials. The monitoring credentials page for the selected target type displays.

2.5.1.3 Preferred Credentials

Preferred credentials are used to simplify access to managed targets by storing target login credentials in the Management Repository. With preferred credentials set, users can access an Enterprise Manager target that recognizes those credentials without being prompted to log in to the target. Preferred credentials can also be used to carry out administrative operations using the job system. Preferred credentials are set on a per user basis, thus ensuring the security of the managed enterprise environment.

• Default Credentials: Default credentials can be set for a particular target type and will be available for all the targets of the target type. It will be overridden by target preferred credentials.

• Target Credentials: Target credentials are preferred credentials set for a particular target. They could be used by applications such as the job system, notifications, or patching. For example, if the user chooses to use preferred credentials while submitting a job, then the preferred credentials set for the target (target credentials) will be used. If the target credentials are not present, the default credentials (for the target type) will be used. If the default credentials are not present, the job will fail. If not specified, by default, preferred credentials refer to preferred target credentials"

For example, to set the host preferred credentials, from the Setup menu, choose Security and then Preferred Credential. In the Preferred Credentials page, select the Host target type from the table and click Manage Preferred Credentials. The Host Preferred Credentials are displayed.

Figure 2-10 Host Preferred Credentials

On this page, you can set both default and explicit preferred credentials for the host target types.

2.5.1.4 Managing Credentials Using EM CLI

You can manage passwords using EM CLI verbs. Using EM CLI, you can perform such actions as:

• Change the database user password in both the target database and Enterprise Manager.

  emcli update_db_password -change_at_target=Yes|No -change_all_reference=Yes|No
  

• Update a password which has already been changed at the host target.

  emcli update_host_password -change_all_reference=Yes|No
  

• Set preferred credentials for given users.

  emcli set_preferred_credential
  -set_name="set_name"
  -target_name="target_name"
  -target_type="ttype"
  -credential_name="cred_name"
  [-credential_owner ="owner]"
  

  And

  emcli set_preferred_credential
  -set_name="set_name"
  -target_name="target_name"
  -target_type="ttype"
  -credential_name="cred_name"
  [-credential_owner ="owner]"
  

For a complete list of credential management verbs, refer to the Enterprise Manager Command Line Interface guide.

2.5.1.5 Host Authentication Features

This section covers the following topics:

• Setting Up SSH Key-based Host Authentication

• Setup Example Session

• Setting Up Host Preferred Credentials Using SSH Key Credentials

• Authenticating host credentials

• Configuring the PAM "emagent" Service

• Sudo and PowerBroker Support

• Creating a Privilege Delegation Setting

• Sudo and Powerbroker Configuration

• Updating the PDP Configuration File

2.5.1.5.2 Setup Example Session

To generate, manage, or convert SSH authentication keys, you use the SSH-keygen utility available on UNIX systems. This utility SSH-keygen tool provides different options to create with different strengths RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.

Note:

The procedure shown in this example assumes that you have a firm understanding of SSH setup procedures and user and host equivalence using public private key pair using SSH.

Example 2-9 Setting Up SSH key-based Authentication

$ ssh-keygen -t rsa      

The command options instruct the utility to generate SSH keys (RSA key pair).

Generating public/private rsa key pair.
Enter file in which to save the key (/home/myhome/.ssh/id_rsa):  

The path specified is the standard path to the location where SSH keys are stored ($HOME/.ssh).

Enter passphrase (empty for no passphrase)

Important: passphrase is not supported for use with SSH keys in named credentials.

Enter same passphrase again: (empty for no passphrase)
Your identification has been saved in /home/admin1/.ssh/id_rsa.
Your public key has been saved in /home/admin1/.ssh/id_rsa.pub.
The key fingerprint is:
bb:da:59:7a:fc:24:c6:9a:ee:dd:af:da:1b:1b:ed:7f admin1@myhost2170474

The ssh-regkey utility has now generated two files in the .ssh directory.

$ ls   
id_rsa  id_rsa.pub

To permit access to the host without having SSH prompt for a password, copy the public key to the authorized_keys file on that system.

$ cp id_rsa.pub  authorized_keys   

From this point, all keys listed in that file are allowed access.

Next, perform a remote logon using SSH. The system will not prompt you for a password.

$ ssh myhost  
The authenticity of host 'myhost (10.229.147.184)' can't be established.
RSA key fingerprint is de:a0:2a:d5:23:f0:8a:72:98:74:2c:6f:bf:ad:5b:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myhost,10.229.147.184' (RSA) to the list of known hosts.
Last login: Mon Aug 29 16:48:45 2012 from anotherhost.example.com
$

You are now ready to add the credential to Enterprise Manager.

1. From the Setup menu, select Security, then select Named Credentials.

2. On the Named Credentials page, click Create. The Create Credential page displays.

3. Enter a Credential Name. For example, SSHCRED1.

   Note: The SSHCRED1 credential set will be used in Section 2.5.1.5.3, "Setting Up Host Preferred Credentials Using SSH Key Credentials"

4. Select Host from the Authenticating Target Type drop-down menu.

5. Select SSH Key Credentials from the Credential Type drop-down menu as shown in the following figure.

   
   

6. Ensure that the SSH private key/public key files have been copied to the host on which the browser is running.

7. From the Credential Properties region, click Browse for Public Key and Private Key to upload the generated public key/private key files.

8. Click Test and Save to verify the credentials and save them. The new named credential will appear as shown in the following figure.

Note:

To view an instructional video Oracle Enterprise Manager 12c: Create SSH Key Named Credentials, go to:

https://apex.oracle.com/pls/apex/f?p=44785:24:0::NO:24:P24_CONTENT_ID,P24_PREV_PAGE:5724,1

Figure 2-11 Named Credential Using SSH Keys

2.5.1.5.3 Setting Up Host Preferred Credentials Using SSH Key Credentials

You can set up host preferred credentials to use SSH keys by creating a new credential set that uses the HostSSHCreds credential type. Enterprise Manager administrators then set up preferred credentials that use this credential set. Each Enterprise Manager target type can have one or more preferred credential sets of pre-defined credential types.

The following steps use EM CLI to create a host preferred credential set which supports SSH key credentials. This example assumes the existence of the named credential SSHCRED1 of type SSH Key Credentials created in the previous section.

1. Log into EM CLI as an Enterprise Manager Super Administrator.

2. Create a new credential set of type HostSSHCreds.

   $ emcli create_credential_set -set_name=HostSSHCredSet -target_type=host -supported_cred_types=HostSSHCreds
   
   Credential set "HostSSHCredSet" created successfully.
   

   Once the credential set is created, Enterprise Manger administrators can set up preferred credentials for this newly created credential set using either EM CLI or the Enterprise Manager console.

3. Set up Preferred Credentials for the newly created credential set. You can use EM CLI or the Enterprise Manger console. The following EM CLI example assumes a named credential called SSHCRED1 of type SSH Key Credentials has already been created.

   $ emcli set_preferred_credential -target_type=host -target_name=myhost.oracle.com -set_name=HostSSHCredSet -credential_name=SSHCRED1
   
   Successfully set preferred credentials for target myhost.oracle.com:host.
   

Once the credential set is created and preferred credentials have been set up, whenever the HostSSHCredSet credential set is used for any of the Enterprise Manager operation, that operation will use SSH credentials as defined in the named credential SSHCRED1. The following graphic shows the HostSSHCredSet credential set listed as a default preferred credential for host targets.

You can now set the preferred credentials of regular regular Enterprise Manager administrators to use the SSHCRED1 named credential by editing/creating an administrator and granting Named Credential resource privileges. The following graphic shows the manage privilege grants UI for named credentials.

auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

auth        sufficient    pam_unix.so nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so 

# Sample sudoersfile should have following entry
 
# If you do not have access to oracle and root accounts, 
# then add the following entries into the file: 
 
johndoe ALL=(oracle) /u01/oracle/agent/sbin/nmosudo *
johndoe ALL=(root) /u01/oracle/agent/sbin/nmosudo * 
 
# If you have access to the oracle account, 
# but not to the root account, 
# then only add the following entry into the file: 
johndoe ALL=(root) /u01/oracle/agent/sbin/nmosudo  *
 
# Where, johndoe refers to the user who has been given the 
# SUDO access to Oracle and Root accounts for running 
# the nmosudo command.

if(user=="johndoe") if(command=="/u01/oracle/agent/sbin/nmosudo" )  
// /u01/oracle/agent/ is the Agent Home 
{    
        switch (requestuser    
        {       
                case "root":          
                        runuser="root";          
                        break;       
                case "oracle":          
                        runuser="oracle";          
                        break;       
                default:       
                reject;      
        }  
        accept; 
}

2.6.2.1 emctl status emkey

This command shows the health or status of the emkey. Depending on the status of the emkey, the following messages are displayed:

• When the emkey has been correctly configured in the Credential Store and Repository, the following message is displayed.

  Example 2-11 emctl status emkey - Example 1

  Oracle Enterprise Manager 12c Release 3 Cloud Control
  Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
  The EmKey is configured properly, but is not secure. Secure the EMKey by running "emctl config emkey -remove_from_repos"
  

• When the emkey has been correctly configured in the Credential Store and has been removed from the Management Repository, the following message is displayed.

  Example 2-12 emctl status emkey - Example 2

  Oracle Enterprise Manager 12c Release 3 Cloud Control
  Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
  The EMKey is configured properly.
  

• When the emkey is corrupted in the Credential Store and removed from the Management Repository, the following message is displayed.

  Example 2-13 emctl status emkey - Example 3

  Oracle Enterprise Manager 12c Release 3 Cloud Control
  Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
  The EMKey is not configured properly or is corrupted in the credential store and does not exist in the Management Repository. To correct the problem:
  1) Get the backed up emkey.ora file.
  2) Configure the emkey by running "emctl config emkey -copy_to_credstore_from_file"
  

2.6.2.2 emctl config emkey -copy_to_credstore

This command copies the emkey from the Management Repository to the Credential Store.

emctl config emkey -copy_to_credstore [-sysman_pwd <pwd>]
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to the Credential Store.

2.6.2.3 emctl config emkey -copy_to_repos

This command copies the emkey from the Credential Store to Management Repository.

emctl config emkey -copy_to_repos [-sysman_pwd <pwd>]
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to the Management Repository. This operation will cause the EMKey to become unsecure.
After the required operation has been completed, secure the EMKey by running "emctl config emkey -remove_from_repos".

2.6.2.4 emctl config emkey -copy_to_file_from_credstore

This command copies the emkey from the Credential Store to a specified file.

emctl config emkey -copy_to_file_from_credstore -admin_host <host> -admin_port
<port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file
<emkey file>
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to file.

2.6.2.5 emctl config emkey -copy_to_file_from_repos

This command copies the emkey from the Management Repository to a specified file.

emctl config emkey -copy_to_file_from_repos (-repos_host <host> -repos_port <port>
-repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd
<pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to file.

2.6.2.6 emctl config emkey -copy_to_credstore_from_file

The command removes the emkey from the repository: It secures the emkey, which is the out-of-the-box configuration.

emctl config emkey -copy_to_credstore_from_file -admin_host <host> -admin_port <port> -admin_user <username> [-admin_pwd <pwd>] [-repos_pwd <pwd>] -emkey_file <emkey file>
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to the Credential Store.

2.6.2.7 emctl config emkey -copy_to_repos_from_file

This command copies the emkey from a specified file to the repository.

emctl config emkey -copy_to_repos_from_file (-repos_host <host> -repos_port <port>
-repos_sid <sid> | -repos_conndesc <conn desc>) -repos_user <username> [-repos_pwd
<pwd>] [-admin_pwd <pwd>] -emkey_file <emkey file>
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been copied to the Management Repository. This operation will cause
the EMKey to become unsecure.
After the required operation has been completed, secure the EMKey by running "emctl config emkey -remove_from_repos".

2.6.2.8 emctl config emkey -remove_from_repos

This command removes the emkey from the repository.

emctl config emkey -remove_from_repos [-sysman_pwd <pwd>]
Oracle Enterprise Manager 12c Release 3 Cloud Control  
Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
The EMKey has been removed from the Management Repository.

2.6.3.1 Installing the Management Repository

A new emkey is generated as a strong random number when the Management Repository is created.

2.6.3.2 Installing the First Oracle Management Service

When the Oracle Management Service is installed, the Installer copies the emkey to Credential Store and removes it from repository (emkey is secured out-of-box).

2.6.3.3 Upgrading from 10.2 or 11.1 to 12.1

The Management Repository is upgraded as usual. When upgrading the OMS, the omsca (OMS Configuration Assistant) copies the emkey to Credential Store and removes from repository. omsca reads the emkey from emkey.ora file present in the old OMS Oracle Home and copies it to Credential Store.

• Note:

  emkey needs to be copied to the Management Repository before starting the upgrade. After all the Oracle Management Service has been upgraded, you can secure the emkey, that is, remove it from the Management Repository by running the following command:

  emctl config emkey -remove_from_repos

2.6.3.4 Recreating the Management Repository

When the Management Repository is recreated, a new emkey is generated. This new key will not be in synchronization with the emkey existing in the Credential Store. Follow these steps to synchronize the key:

1. Copy the new emkey to Credential Store by using the emctl config emkey -copy_to_credstore command.

2. Take a backup by entering the emctl config emkey -copy_to_file_from_repos command or the emctl config emkey -copy_to_file_from_credstore command.

3. Secure the emkey by using the emctl config emkey -remove_from_repos command.

2.8.1.1 Changing the SYSMAN User Password

To change the password of the SYSMAN user, you use the following command:

emctl config oms -change_repos_pwd [-old_pwd <old_pwd>] [-new_pwd <new_pwd>] [-use_sys_pwd [-sys_pwd <sys_pwd>]]

1. Stop all OMS instances.

   emctl stop oms

2. For each OMS, run the following command:

   emctl config oms -change_repos_pwd'

3. Restart the Administration Server and all OMS instances.

   emctl stop oms -all

   emctl start oms

2.8.1.2 Changing the MGMT_VIEW User Password

To change the password of the MGMT_VIEW user, you use the following command:

emctl config oms -change_view_user_pwd [-sysman_pwd <sysman_pwd>] [-user_pwd <user_pwd>] [-auto_generate]

1. Stop all OMSs.

   <OMS_HOME>/bin/emctl stop oms

2. On one of the OMSs, run the following command:

   <OMS_HOME>/bin/emctl config oms -change_repos_pwd -change_in_db [-old_pwd <old_pwd>] [ -new_pwd <new_pwd>]

3. Restart the AdminServer and all the OMSs.

   emctl stop oms -all

   emctl start oms

2.8.2.1 Responding to the Internet Explorer Security Alert Dialog Box

Security is enabled by default for the Management Service. However, if you have not enabled the more extensive security features of your web tier, you will likely receive the following warning: "There is a problem with this Web site's security certificate." This occurs because Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust.

Figure 2-16 Internet Explorer Security Alert

When Internet Explorer displays the certificate warning page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

1. From the certificate warning page, click Continue to this Web site (not recommended).

   Internet Explorer displays a Security Warning dialog.

2. Click Yes. Internet Explorer may display a Security Alert dialog if you have not selected In the future, do not show this warning. in a previous Internet Explorer session. Click OK to dismiss the dialog.

3. The Enterprise Manager console logon page displays.

4. At the top of the browser, click Certificate Error to display the Certificate pop-up.

   
   

5. Click View Certificates. The Certificates dialog appears.

   
   

6. Click the Certificate Path tab and select the first entry in the list of certificates as shown in the following graphic.

   
   

7. Click View Certificate to display a second Certificate dialog box.

8. Click Install Certificate to display the Certificate Import wizard.

9. Accept the default settings in the wizard, click Finish when you are done.

   Internet Explorer displays a Security Warning asking if you want to install the certificate. Click Yes. Internet Explorer will display a message stating that the certificate was imported successfully.

10. Click OK to close each of the security dialog boxes and click Yes on the Security Alert dialog box to continue with your browser session.

    You should no longer receive the Security Alert dialog box in any future connections to Enterprise Manager when you use this browser.

2.8.2.2 Responding to the Mozilla Firefox New Site Certificate Dialog Box

Firefox will also issue a connection warning when Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust. When you first attempt to display the Cloud Control console using the HTTPS URL in Mozilla Firefox, you will receive a warning because the connection is untrusted.

When Firefox displays the Untrusted Connection page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

1. Review the instructions and information. Click I Understand the Risks. Firefox displays additional information and the opportunity to add the certificate.

2. Click Add Exception... . Firefox displays the Add Security Exception dialog.

   
   

3. Ensure that the Permanently store this exception option is selected.

   You should no longer receive the New Site Certificate dialog box when using the current browser.

4. Click Confirm Security Exception. The Enterprise Manager console displays.

You will no longer receive the untrusted connection warning in any future connections to Enterprise Manager when you use this browser

2.8.2.3 Responding to the Google Chrome Security Alert Dialog Box

Google Chrome issues a warning if the security certificate of the Website is not trusted. When you first attempt to display the Cloud Control console using the HTTPS URL in Google Chrome, you will receive a warning because the connection is mistrusted.

When Google Chrome displays the Untrusted Connection page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

1. Click on the crossed out lock pad icon on the left hand side of the URL address bar.

   
   

2. Click Certificate Information in the menu.

3. Select the Certification Path tab.

4. Select the OMS host name (a red cross icon).

5. Click View Certificate.

   
   

6. Select the Details tab.

7. Click Copy to File...

   
   

   A wizard guides you through the process. Follow the wizard and select all the default options.

8. Save the certificate on your Desktop. For example, you can save it as:

   adc1110000.cer
   

9. From the Google Chrome menu, go to Tools, click Settings, and then select Show Advanced Settings.

10. Click Manage Certificates.

11. Select the Trusted Root Certification Authority tab.

12. Click Import.

    A wizard guides you through the process of importing the saved certificate.

    A warning window displays a message that the certificate you are importing cannot be verified and asks if you want to continue. Click Yes to proceed.

13. Check if the saved certificate appears in the Trusted Root Certification Authority table.

14. Restart the Google Chrome browser and load the Enterprise Manager URL. If the Certificate Error icon is not visible in the address bar, then the certificate is valid and trusted.

2.8.2.4 Responding to Safari Security Dialog Box

Safari does not support the option to install a certificate individually. To solve this issue, you have to obtain a trusted certificate from a vendor of your choice.