Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Security Overview

• 1.1 Security Threats
• 1.2 Security Principles
  • 1.2.1 Separation of Duties and Principle of Least Privilege
  • 1.2.2 Encryption
  • 1.2.3 Monitoring for Suspicious Activity (Auditing)
  • 1.2.4 Non-repudiation

2 Security Features

• 2.1 Configuring Authentication
  • 2.1.1 Supported Authentication Schemes
  • 2.1.2 Repository-Based Authentication
  • 2.1.3 Oracle Access Manager Single Sign-On
    • 2.1.3.1 Removing Oracle Access Manager Single Sign-On
    • 2.1.3.2 Oracle Single Sign-On (SSO) Based Authentication
  • 2.1.4 Enterprise User Security Based Authentication
    • 2.1.4.1 Registering Enterprise Users (EUS Users) as Enterprise Manager Users
  • 2.1.5 Oracle Internet Directory (OID)
  • 2.1.6 Microsoft Active Directory Based Authentication
  • 2.1.7 Restoring to Default Authentication Method
    • 2.1.7.1 Bypassing the Single Sign-On Logon Page
    • 2.1.7.2 Restoring the Default Authentication Method
  • 2.1.8 External Authorization using External Roles
  • 2.1.9 Mapping LDAP User Attributes to Enterprise Manager User Attributes
  • 2.1.10 Changing User Display Names in Enterprise Manager
  • 2.1.11 Configuring Other LDAP/SSO Providers
    • 2.1.11.1 Configuring Single Sign-on based Authentication
  • 2.1.12 Configuring Enterprise User Security based Authentication
    • 2.1.12.1 Registering Enterprise Users as Enterprise Manager Users
  • 2.1.13 Restoring to Default Authentication Method
    • 2.1.13.1 Bypassing the Single Sign-On Logon Page
    • 2.1.13.2 Restoring the Default Authentication Method
• 2.2 Configuring Privileges and Role Authorization
  • 2.2.1 Understanding Users, Privileges and Roles
  • 2.2.2 Classes of Users
  • 2.2.3 Privileges and Roles
    • 2.2.3.1 Granting Privileges
    • 2.2.3.2 Creating Roles
    • 2.2.3.3 Using Roles to Manage Privileges
  • 2.2.4 Managing Privileges with Privilege Propagating Groups
    • 2.2.4.1 Example1: Granting various teams different levels of access to target groups
    • 2.2.4.2 Example2: Granting developers view access to target database instances.
    • 2.2.4.3 Entitlement Summary
• 2.3 Configuring Secure Communication
  • 2.3.1 About Secure Communication
  • 2.3.2 Enabling Security for the Oracle Management Service
    • 2.3.2.1 Configuring the OMS with Server Load Balancer
    • 2.3.2.2 Enabling Security with Multiple Management Service Installations
    • 2.3.2.3 Creating a New Certificate Authority
    • 2.3.2.4 Viewing the Security Status and OMS Port Information
    • 2.3.2.5 Configuring Transport Layer Security
  • 2.3.3 Securing the Oracle Management Agent
  • 2.3.4 Managing Agent Registration Passwords
    • 2.3.4.1 Using the Cloud Control Console to Manage Agent Registration Passwords
    • 2.3.4.2 Using emctl to Add a New Agent Registration Password
  • 2.3.5 Restricting HTTP Access to the Management Service
  • 2.3.6 Enabling Security for the Management Repository Database
    • 2.3.6.1 About Oracle Advanced Security and the sqlnet.ora Configuration File
    • 2.3.6.2 Configuring the Management Service to Connect to a Secure Management Repository Database
    • 2.3.6.3 Enabling Oracle Advanced Security for the Management Repository
    • 2.3.6.4 Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database
  • 2.3.7 Custom Configurations
    • 2.3.7.1 Configuring Custom Certificates for WebLogic Server
    • 2.3.7.2 Configuring Custom Certificates for OMS Console Access
    • 2.3.7.3 Configuring Custom Certificates for OMS Upload Access
    • 2.3.7.4 Configuring Transport Layer Security
  • 2.3.8 Secure Communication Setup Tools
    • 2.3.8.1 emctl secure oms
    • 2.3.8.2 emctl secure agent
    • 2.3.8.3 emctl secure wls
    • 2.3.8.4 emctl status oms -details
  • 2.3.9 Configuring Third Party Certificates
    • 2.3.9.1 Configuring a Third Party Certificate for HTTPS Console Users
    • 2.3.9.2 Configuring Third Party Certificate for HTTPS Upload Virtual Host
• 2.4 Authentication Scheme
• 2.5 Configuring and Using Target Credentials
  • 2.5.1 Credential Subsystem
    • 2.5.1.1 Named Credential
    • 2.5.1.2 Monitoring Credentials
    • 2.5.1.3 Preferred Credentials
    • 2.5.1.4 Managing Credentials Using EM CLI
    • 2.5.1.5 Host Authentication Features
• 2.6 Configuring and Using Cryptograhic Keys
  • 2.6.1 Configuring the emkey
  • 2.6.2 emctl Commands
    • 2.6.2.1 emctl status emkey
    • 2.6.2.2 emctl config emkey -copy_to_credstore
    • 2.6.2.3 emctl config emkey -copy_to_repos
    • 2.6.2.4 emctl config emkey -copy_to_file_from_credstore
    • 2.6.2.5 emctl config emkey -copy_to_file_from_repos
    • 2.6.2.6 emctl config emkey -copy_to_credstore_from_file
    • 2.6.2.7 emctl config emkey -copy_to_repos_from_file
    • 2.6.2.8 emctl config emkey -remove_from_repos
  • 2.6.3 Install and Upgrade Scenarios
    • 2.6.3.1 Installing the Management Repository
    • 2.6.3.2 Installing the First Oracle Management Service
    • 2.6.3.3 Upgrading from 10.2 or 11.1 to 12.1
    • 2.6.3.4 Recreating the Management Repository
• 2.7 Configuring and Managing Audit
  • 2.7.1 Configuring the Enterprise Manager Audit System
  • 2.7.2 Configuring the Audit Data Export Service
  • 2.7.3 Updating the Audit Settings
  • 2.7.4 Searching the Audit Data
  • 2.7.5 List of Operations Audited
  • 2.7.6 Auditing the Infrastructure
• 2.8 Additional Security Considerations
  • 2.8.1 Changing the SYSMAN and MGMT_VIEW Passwords
    • 2.8.1.1 Changing the SYSMAN User Password
    • 2.8.1.2 Changing the MGMT_VIEW User Password
  • 2.8.2 Responding to Browser-Specific Security Certificate Alerts
    • 2.8.2.1 Responding to the Internet Explorer Security Alert Dialog Box
    • 2.8.2.2 Responding to the Mozilla Firefox New Site Certificate Dialog Box
    • 2.8.2.3 Responding to the Google Chrome Security Alert Dialog Box
    • 2.8.2.4 Responding to Safari Security Dialog Box

3 Keeping Enterprise Manager Secure

• 3.1 Guidelines for Secure Infrastructure and Installations
  • 3.1.1 Secure the Infrastructure and Operating System
  • 3.1.2 Securing the Oracle Management Repository
    • 3.1.2.1 Enable Advanced Security Option
  • 3.1.3 Securing the Oracle Management Agent
  • 3.1.4 Secure Communication
    • 3.1.4.1 Enable ICMP
    • 3.1.4.2 Configure Oracle Management Agent for Firewalls
    • 3.1.4.3 Configure Oracle Management Service for Firewalls
• 3.2 Guidelines for SSL communication
  • 3.2.1 Configure TLSv1 Protocol
  • 3.2.2 Leave communication is Secure-Lock Mode
    • 3.2.2.1 Secure and Lock the OMS and Agents
  • 3.2.3 Disable Weak Ciphers
• 3.3 Guidelines for Authentication
  • 3.3.1 Enable External Authentication
• 3.4 Guidelines for Authorization
  • 3.4.1 Use Principle of Least Privileges for Defining Roles/Privileges
  • 3.4.2 Use Privilege Propagation Groups
• 3.5 Guidelines for Auditing
• 3.6 Guidelines for Managing Target Credentials

4 Troubleshooting

• 4.1 Troubleshooting Authentication Issues in Enterprise Manager

5 References

A An Appendix Title

Index