Skip Headers
Oracle® Enterprise Manager Advanced Configuration
10g Release 2 (10.2)
B16242-01
  Go To Table Of Contents
Contents
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Index
Index

Previous
Previous
Next
Next
 

4 Enterprise Manager Security

This chapter describes how to configure Oracle Enterprise Manager Security. Specifically, this chapter contains the following sections:

4.1 About Oracle Enterprise Manager Security

Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. The following sections describe the security features provided by Enterprise Manager.

4.1.1 Oracle Enterprise Manager Security Model

The goals of Oracle Enterprise Manager security are:

  • To be sure that only users with the proper privileges have access to critical monitoring and administrative data.

    This goal is met by requiring username and password credentials before users can access the Enterprise Manager consoles. This includes access to the Oracle Enterprise Manager 10g Grid Control Console, the Oracle Enterprise Manager 10g Database Control Console, and the Oracle Enterprise Manager 10g Application Server Control Console.

  • To be sure that all data transferred between Enterprise Manager components is transferred in a secure manner and that all data gathered by each Oracle Management Agent can be transferred only to the Oracle Management Service for which the Management Agent is configured.

    This goal is met by enabling Enterprise Manager Framework Security. Enterprise Manager Framework Security automates the process of securing the Enterprise Manager components installed and configured on your network.

4.1.2 Classes of Users and Their Privileges

Oracle Enterprise Manager supports different classes of Oracle users, depending upon the environment you are managing and the context in which you are using Oracle Enterprise Manager 10g. For example:

  • The Grid Control Console provides support for creating and managing Enterprise Manager administrator accounts.

    The Enterprise Manager administrators you create and manage in the Grid Control Console are granted privileges and roles to log in to the Grid Control Console and to manage specific target types and to perform specific management tasks.

    The default super administrator for the Grid Control Console is the SYSMAN user, which is a database user associated with the Oracle Management Repository. You define the password for the SYSMAN account during the Enterprise Manager installation procedure.

  • Oracle Application Server administrators use the Oracle Application Server administrator account (ias_admin) to log in to the Application Server Control Console.

  • You use the ias_admin account to manage the components of a specific Oracle Application Server instance. You define the password for the ias_admin account during the Oracle Application Server installation procedure.

4.1.3 Resources Protected

By restricting access to privileged users and providing tools to secure communications between Oracle Enterprise Manager 10g components, Enterprise Manager protects critical information in the Oracle Management Repository.

The Management Repository contains management data that Enterprise Manager uses to help you monitor the performance and availability of your entire enterprise. This data provides you with information about the types of hardware and software you have deployed, as well as the historical performance and specific characteristics of the applications, databases, applications servers, and other targets that you manage.

The Management Repository also contains information about the Enterprise Manager administrators who have the privileges to access the management data.

4.1.4 Authorization and Access Enforcement

Authorization and access enforcement for Enterprise Manager is controlled as follows:

  • When you use the Grid Control Console, you create and manage Enterprise Manager administrator accounts. The SYSMAN super administrator can assign specific privileges and roles to each of the additional administrators. These privileges and roles control the targets an administrator can manage and the specific types of tasks the administrator can perform.


    See Also:

    "About Administrators and Roles" in the Enterprise Manager online help

  • When you use the Application Server Control Console, access to the Console is restricted to administrators who use the ias_admin administrator's account. The ias_admin account is set up automatically and you assign a password for the account during the Oracle Application Server installation procedure.


    See Also:

    Oracle Application Server Administrator's Guide for more information about the ias_admin account

4.1.5 Leveraging Oracle Application Server Security Services

As a Web-based application, Enterprise Manager relies on industry-standard technologies to provide secure access to the Oracle Enterprise Manager 10g Grid Control Console, Database Control, and Application Server Control Console.

When you configure security for the Oracle Enterprise Manager 10g Grid Control Console, Enterprise Manager Framework Security provides secure communications between the components of your Enterprise Manager installation. However, you should also use the security services of your Oracle HTTP Server to be sure access to the Grid Control Console is secure.


See Also:

"Configuring Security for Grid Control" for more information about the Enterprise Manager Framework Security

Oracle HTTP Server Administrator's Guide for information about configuring security for your Oracle HTTP Server


Enterprise Manager deploys the Application Server Control Console and Database Control within a single, standalone Oracle Application Server Containers for J2EE (OC4J) instance. As a result, when you configure security for the Application Server Control Console, or for the Database Control, Enterprise Manager uses the standard security services of OC4J to protect your management data.

4.1.6 Leveraging Oracle Identity Management Infrastructure

Oracle Enterprise Manager 10g takes advantage of Oracle Identity Management in two ways:

4.2 Configuring Security for Grid Control

This section contains the following topics:

4.2.1 About Enterprise Manager Framework Security

Enterprise Manager Framework Security provides safe and secure communication channels between the components of Enterprise Manager. For example, Framework Security provides secure connections between your Oracle Management Service and its Management Agents.


See Also:

Oracle Enterprise Manager Concepts for an overview of Enterprise Manager components

Enterprise Manager Framework Security works in concert with—but does not replace—the security features you should enable for your Oracle HTTP Server. Oracle HTTP Server is part of the Oracle Application Server instance that is used to deploy the Management Service J2EE Web application.

Figure 4-1 shows how Enterprise Manager Framework Security provides security for the connections between the Enterprise Manager components. However, the secure HTTPS connection between your browser and the Grid Control Console should be configured like any other Web application by using the security features of your Oracle HTTP Server.

Figure 4-1 Enterprise Manager Framework Security

Description of Figure 4-1  follows
Description of "Figure 4-1 Enterprise Manager Framework Security"

Enterprise Manager Framework Security implements the following types of secure connections between the Enterprise Manager components:

  • HTTPS and Public Key Infrastructure (PKI) components, including signed digital certificates, for communications between the Management Service and the Management Agents.


    See Also:

    Oracle Security Overview for an overview of Public Key Infrastructure features, such as digital certificates and public keys

  • Oracle Advanced Security for communications between the Management Service and the Management Repository.


    See Also:

    Oracle Database Advanced Security Administrator's Guide

4.2.2 Overview of the Steps Required to Enable Enterprise Manager Framework Security

To enable Enterprise Manager Framework Security, you must configure each of the Enterprise Manager components in a specific order. The following list outlines the process for securing the Management Service and the Management Agents that upload data to the Management Service:

  1. Use the opmnctl stopall command to stop the Management Service, the Oracle HTTP Server, and the other components of the Oracle Application Server that are used to deploy the Management Service.

  2. Use emctl secure oms to enable security for the Management Service.

  3. Restart the Management Service, the Oracle HTTP Server, OracleAS Web Cache, and the other application server components using the opmnctl startall command.

  4. For each Management Agent, stop the Management Agent, use the emctl secure agent command to enable security for the Management Agent, and restart the Management Agent.

  5. After security is enabled for all the Management Agents, use the emctl secure lock command to restrict HTTP Access to the Management Service. This will ensure that all data gathered from the Management Agents is uploaded over a secure HTTPS connection.

The following sections describe how to perform each of these steps in more detail.


Note:

To resolve errors from emctl secure operations, refer to $ORACLE_HOME/sysman/log/secure.log for more details.

4.2.3 Enabling Security for the Oracle Management Service

To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms utility, which is located in the following subdirectory of the Management Service home directory:

$ORACLE_HOME/bin

The emctl secure oms utility performs the following actions:

  • Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Agents.

  • Modifies your Oracle HTTP Server to enable an HTTPS channel between your Management Service and Management Agents, independent from any existing HTTPS configuration that may be present in your Oracle HTTP Server.

  • Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.

To run the emctl secure oms utility you must first choose an Agent Registration Password. The Agent Registration password is used to validate that future installation sessions of Oracle Management Agents and Oracle Management Services are authorized to load their data into this Enterprise Manager installation.

To enable Enterprise Manager Framework Security for the Oracle Management Service:

  1. Change directory to the following directory in the Management Service home:

    ORACLE_HOME/opmn/bin
    
    
  2. Stop the Management Service, the Oracle HTTP Server, and the other application server components using the following command:

    $PROMPT> ./opmnctl stopall
    
    
  3. Change directory to the following directory in the Management Service home:

    ORACLE_HOME/bin
    
    
  4. Enter the following command:

    $PROMPT> ./emctl secure oms
    
    

    Enterprise Manager prompts you for the Enterprise Manager Root Password.

  5. Enter the password for the SYSMAN administrator account used for the Management Repository.

    Enterprise Manager prompts you to specify an Agent Registration Password, which is a new password that will be required for any Management Agents that attempt to connect to the Management Service.

  6. Specify an Agent Registration Password for the Management Service.

    Enterprise Manager prompts you to confirm the host name of the Management Service.

  7. When the operation is complete, restart the Management Service, the Oracle HTTP Server, and OracleAS Web Cache:

    $PROMPT> cd $ORACLE_HOME/opmn/bin
    $PROMPT> ./opmnctl startall
    
    
  8. After the Management Service restarts, test the secure connection to the Management Service by browsing to the following secure URL using the HTTPS protocol:

    https://hostname.domain:4888/
    
    

    For example:

    https://mgmthost1.acme.com:4888/
    
    

    If the Management Service security has been enabled, your browser displays the Oracle Application Server Welcome page.


Note:

The 1159 port number is the default secure port used by the Management Agents to upload data to the Management Service. This port number may vary if the default port is unavailable.


Caution:

While the emctl secure oms command provides immediate HTTPS browser access to the Grid Control Console by using the secure Management Agent upload port, it does not enable security for the default OracleAS Web Cache or Oracle HTTP Server ports that your administrators use to display the Grid Control Console.

To enable security for users who access the Grid Control through OracleAS Web Cache and the default Oracle HTTP Server ports, refer to Oracle Application Server 10g Security Guide.


Example 4-1 Sample Output of the emctl secure oms Command

$PROMPT> ./emctl secure omsOracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Enter Enterprise Manager Root Password :Enter Agent Registration password :OPMN processes already stopped...   Done.Securing central oms...   Started.Checking Repository...   Done.Checking Em Key...   Done.Checking Repository for an existing Enterprise Manager Root Key...   Done.Fetching Root Certificate from the Repository...   Done.Generating Registration Password Verifier in the Repository...   Done.Generating Oracle Wallet Password for Enterprise Manager OMS...   Done.Generating Oracle Wallet for Enterprise Manager OMS...   Done.Generating Oracle Wallet for iAS HTTP Server...   Done.Updating HTTPS port in emoms.properties file...   Done.Generating HTTPS Virtual Host for Enterprise Manager OMS...   Done.Securing central oms...   Ended. 
 

Alternatively, you can enter the emctl secure oms command all on one line, but if you enter the command on one line, the passwords you enter will be displayed on the screen as you type the command.

Example 4-2 Sample Output of the emctl secure oms Command (II)

$PROMPT> emctl secure oms -sysman_pwd <sysman password> -reg_pwd <registration password>[-host <hostname>][-reset][-secure_port <secure_port>][-root_dc <root_dc>][-root_country <root_country>][-root_state <root_state>][-root_loc <root_loc>][-root_org <root_org>][-root_unit <root_unit>][-root_email <root_email>]

The parameters are explained below:

  • sysman_password - Oracle Management Repository user password.

  • registration_password - The Management Agent registration password.

  • hostname - The host name to be used in the certificate used by the Oracle Management Service. You may need to use the SLB host name if there is an SLB before the Management Service.

  • reset - If the Oracle Management Service is secured with this option, a new root certificate is generated. All the agents and the Oracle Management Services need to be resecured for use with the new root certificate.

  • secure_port - The port to be used for secure communication. The default value is 4888.

  • root_dc - The domain component used in the root certificate. The default value is com.

  • root_country - The country to be used in the root certificate. The default value is US.

  • root_state - The state to be used in the root certificate. The default value is CA.

  • root_loc - The location to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

  • root_org - The organization name to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

  • root_unit - The organizational unit to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

  • root_email - The email address to be used in the root certificate. The default value is EnterpriseManager@<hostname>.

4.2.3.1 Checking the Security Status

You can check whether security has been enabled for the Management Service by entering the emctl secure status command.

Example 4-3 Sample Output of the emctl secure status oms Command

$prompt> emctl secure status oms
Oracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.
Checking the security status of the OMS at location set in /ade/rpinnama_emcore_main3/oracle/sysman/config/emoms.properties...  Done.
OMS is secure on HTTPS Port 4888 

4.2.4 Enabling Security for the Oracle Management Agent

When you install the Management Agent on a host, you must identify the Management Service that will be used by the Management Agent. If the Management Service you specify has been configured to take advantage of Enterprise Manager Framework Security, you will be prompted for the Agent Registration Password and Enterprise Manager Framework Security will be enabled for the Management Agent during the installation.

Otherwise, if the Management Service has not been configured for Enterprise Manager Framework Security, then security will not be enabled for the Management Agent. In those cases, you can later enable Enterprise Manager Framework Security for the Management Agent.

To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent utility, which is located in the following directory of the Management Agent home directory:

AGENT_HOME/bin (UNIX)
AGENT_HOME\bin (Windows)

The emctl secure agent utility performs the following actions:

  • Obtains an Oracle Wallet from the Management Service that contains a unique digital certificate for the Management Agent. This certificate is required in order for the Management Agent to conduct SSL communication with the secure Management Service.

  • Obtains an Agent Key for the Management Agent that is registered with the Management Service.

  • Configures the Management Agent so it is available on your network over HTTPS and so it uses the Management Service HTTPS upload URL for all its communication with the Management Service.

To enable Enterprise Manager Framework Security for the Management Agent:

  1. Ensure that your Management Service and the Management Repository are up and running.

  2. Change directory to the following directory:

    AGENT_HOME/bin (UNIX)
    AGENT_HOME\bin (Windows)
    
    
  3. Stop the Management Agent:

    $PROMPT> ./emctl stop agent
    
    
  4. Enter the following command:

    $PROMPT> ./emctl secure agent (UNIX)
    $PROMPT> emctl secure agent (Windows)
    
    

    The emctl secure agent utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.


    Note:

    Alternatively, you can enter the command all on one line, but if you enter the command on one line, the password you enter will be displayed on the screen as you type:
    $PROMPT> ./emctl secure agent agent_registration_pwd (UNIX)
    $PROMPT> emctl secure agent agent_registration_pwd (Windows)
    

    shows sample output of the emctl secure agent utility.

  5. Restart the Management Agent:

    $PROMPT> ./emctl start agent
    
    
  6. Confirm that the Management Agent is secure by checking the Management Agent home page.

    In the General section of the Management Agent home page (Figure 4-2), the Secure Upload field indicates whether or not Enterprise Manager Framework Security has been enabled for the Management Agent.


    See Also:

    "Checking the Status of an Oracle Management Agent" in the Enterprise Manager online Help

Example 4-4 Sample Output of the emctl secure agent Utility

$PROMPT> ./emctl secure agentOracle Enterprise Manager 10g Release 10.2.0.0.0. Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Enter Agent Registration password :Agent is already stopped...   Done.Securing agent...   Started.Requesting an HTTPS Upload URL from the OMS...   Done.Requesting an Oracle Wallet and Agent Key from the OMS...   Done.Check if HTTPS Upload URL is accessible from the agent...   Done.Configuring Agent for HTTPS in CENTRAL_AGENT mode...   Done.EMD_URL set in /private/oracle/agent/sysman/config/emd.propertiesSecuring agent...   Successful.

Example 4-5 Sample Output of the emctl secure status agent Command

[oracle@stang14 bin]$ ./emctl secure status agent
Oracle Enterprise Manager 10g Release 10.2.0.0.0. 
Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.
Checking the security status of the Agent at location set in 
/private/home/oracle/product/102/em/agent10g/sysman/config/emd.properties...  
Done.
Agent is secure at HTTPS Port 3872.
Checking the security status of the OMS at 
http://gridcontrol.oraclecorp.com:4889/em/upload/...  Done.
OMS is secure on HTTPS Port 4888

Figure 4-2 Secure Upload Field on the Management Agent Home Page

Description of Figure 4-2  follows
Description of "Figure 4-2 Secure Upload Field on the Management Agent Home Page "

4.2.5 Enabling Security with Multiple Management Service Installations

If you already have a secure Management Service running and you install an additional Management Service that uses the same Management Repository, you will need to enable Enterprise Manager Framework Security for the new Management Service. This task is executed using the same procedure that you used to secure the first Management Service, by running the emctl secure oms utility.

Because you have already established at least one Agent Registration Password and a Root Key in your Management Repository, they must be used for your new Management Service. Your secure Management Agents can then operate against either Management Service. For more information on multiple Management Service installations, refer to Using Multiple Management Service Installations.

All the registration passwords assigned to the current Management Repository are listed on the Registration Passwords page in the Oracle Enterprise Manager 10g Grid Control Console.

If you install a new Management Service that uses a new Management Repository, the new Management Service is considered to be a distinct enterprise. There is no way for the new Management Service to partake in the same security trust relationship as another Management Service that uses a different Management Repository. Secure Management Agents of one Management Service will not be able to operate against the other Management Service.

4.2.6 Restricting HTTP Access to the Management Service

By default, when you enable Enterprise Manager Framework Security on your Oracle Management Service there are no default restrictions on HTTP access. Any Oracle Management Agent can access the Grid Control Console and Management Service using HTTP or HTTPS connections.

However, it is important that only secure Management Agent installations that use the Management Service HTTPS channel are able to upload data to your Management Repository.

To restrict access so Management Agents can upload data to the Management Service only over HTTPS:

  1. Stop the Management Service, the Oracle HTTP Server, and the other application server components:

    $PROMPT> cd $ORACLE_HOME/opmn/bin
    $PROMPT> ./opmnctl stopall
    
    
  2. Change directory to the following location in the Management Service home:

    $ORACLE_HOME/bin
    
    
  3. Enter the following command to prevent Management Agents from uploading data to the Management Service over HTTP:

    $PROMPT> emctl secure lock
    
    
  4. Restart the Management Service, the Oracle HTTP Server, and the other application server components:

    $PROMPT> cd $ORACLE_HOME/opmn/bin
    $PROMPT> ./opmnctl startall
    
    
  5. Verify that you cannot access the Management Agent upload URL using the HTTP protocol:

    For example, navigate to the following URL:

    http://hostname.domain:4889/em/upload
    
    

    You should receive an error message similar to the following:

    ForbiddenYou don't have permission to access /em/upload on this server
    
    
  6. Verify that you can access the Management Agent using the HTTPS protocol:

    For example, navigate to the following URL:

    https://hostname.domain:4888/em/upload
    
    

    You should receive the following message, which confirms the secure upload port is available to secure Management Agents:

    Http XML File receiverHttp Recceiver Servlet active!
    
    

To remove the restriction for HTTPS uploads from the Management Agents, repeat the preceding procedure, but replace the emctl secure lock command with the following command:

$PROMPT> emctl secure unlock

Caution:

The emctl secure lock command does not prevent users from accessing the Oracle Enterprise Manager 10g Grid Control Console over HTTP. It restricts non-secure access only for Management Agents that attempt to upload data to the Management Service using the upload URL, which is usually:
http://hostname.domain:4889/em/upload

Example 4-6 Sample Output of the emctl secure lock Command

$prompt> emctl secure lockOracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Checking the security status of the OMS...   Done.Updating HTTPS Virtual Host for Enterprise Manager OMS...   Done.OMS Locked. Agents must be Secure and upload over HTTPS Port 4888.

Example 4-7 Sample Output of the emctl secure unlock Command

$prompt> emctl secure unlock
Oracle Enterprise Manager 10g Release 10.2.0.0.0 Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.
Checking the security status of the OMS...   Done.
Updating HTTPS Virtual Host for Enterprise Manager OMS...   Done.
OMS Unlocked. Non Secure Agents may upload using HTTP.

To restrict HTTP access to the Oracle Enterprise Manager 10g Grid Control Console, configure your Oracle HTTP Server and OracleAS Web Cache as described in the Oracle Application Server documentation.

4.2.7 Managing Agent Registration Passwords

Enterprise Manager uses the Agent Registration password to validate that installations of Oracle Management Agents are authorized to load their data into the proper Oracle Management Service.

You create the registration password when you use emctl secure oms to configure security for the Oracle Management Service installation.

4.2.7.1 Using the Grid Control Console to Manage Agent Registration Passwords

After you enable security for your Enterprise Manager components, you can use the Grid Control Console to manage your existing registration passwords or create additional registration passwords:

  1. Click Setup at the top of any Grid Control Console page.

  2. Click Registration Passwords.

    Enterprise Manager displays the Registration Passwords page (Figure 4-3). After you enable security for the Management Service, the registration password you created when you ran the emctl secure oms command appears in the Registration Passwords table.

  3. Use the Registration Passwords page to change your registration password, create additional registration passwords, or remove registration passwords associated with the current Management Repository.

Figure 4-3 Managing Registration Passwords in the Grid Control Console

Description of Figure 4-3  follows
Description of "Figure 4-3 Managing Registration Passwords in the Grid Control Console"

When you create or edit an Agent Registration Password on the Registration Passwords page, you can determine whether the password is persistent and available for multiple Management Agents or to be used only once or for a predefined period of time.

For example, if an administrator requests to install a Management Agent on a particular host, you can create a one-time-only password that the administrator can use to install and configure one Management Agent.

On the other hand, you can create a persistent password that an administrator can use for the next two weeks before it expires and the administrator must ask for a new password.

4.2.7.2 Using emctl to Change the Agent Registration Password

To change an existing Agent Registration Password, use the following emctl command:

$PROMPT> emctl secure setpwd sysman_password new_Install_Password

Note that the emctl secure setpwd command requires that you provide the password of the Enterprise Manager super administrator user, sysman, to authorize the resetting of the Agent Registration Password.

If you change the Agent Registration Password, you must communicate the new password to other Enterprise Manager administrators who need to install new Management Agents, enable Enterprise Manager Framework Security for existing Management Agents, or install additional Management Services.

As with other security passwords, you should change the Agent Registration Password on a regular and frequent basis to prevent it from becoming too widespread.

4.2.8 Enabling Security for the Management Repository Database

This section describes how to enable Security for the Oracle Management Repository. This section includes the following topics:

4.2.8.1 About Oracle Advanced Security and the sqlnet.ora Configuration File

You enable security for the Management Repository by using Oracle Advanced Security. Oracle Advanced Security ensures the security of data transferred to and from an Oracle database.


See Also:

Oracle Database Advanced Security Administrator's Guide

To enable Oracle Advanced Security for the Management Repository database, you must make modifications to the sqlnet.ora configuration file. The sqlnet.ora configuration file is used to define various database connection properties, including Oracle Advanced Security parameters.

The sqlnet.ora file is located in the following subdirectory of the Database home:

ORACLE_HOME/network/admin

After you have enabled Security for the Management Repository and the Management Services that communicate with the Management Repository, you must also configure Oracle Advanced Security for the Management Agent by modifying the sqlnet.ora configuration file in the Management Agent home directory.

It is important that both the Management Service and the Management Repository are configured to use Oracle Advanced Security. Otherwise, errors will occur when the Management Service attempts to connect to the Management Repository. For example, the Management Service might receive the following error:

ORA-12645: Parameter does not exist

To correct this problem, be sure both the Management Service and the Management Repository are configured as described in the following sections.


Note:

The procedures in this section describe how to manually modify the sqlnet.ora configuration file to enable Oracle Advanced Security. Alternatively, you can make these modifications using the administration tools described in the Oracle Database Advanced Security Administrator's Guide.

4.2.8.2 Configuring the Management Service to Connect to a Secure Management Repository Database

If you have enabled Oracle Advanced Security for the Management Service database—or if you plan to enable Oracle Advanced Security for the Management Repository database—use the following procedure to enable Oracle Advanced Security for the Management Service:

  1. Stop the Management Service:

    $PROMPT> ORACLE_HOME/bin/emctl stop oms
    
    
  2. Locate the following configuration file in the Management Service home directory:

    ORACLE_HOME/sysman/config/emoms.properties
    
    
  3. Using a text editor, add the entries described in Table 4-1 to the emoms.properties file.

    The entries described in the table correspond to valid parameters you can set when you configure network data encryption for the Oracle Database.


    See Also:

    "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server Administrator's Guide

  4. Save your changes and exit the text editor.

  5. Restart the Management Service.

    $PROMPT> ORACLE_HOME/bin/emctl start oms
    

Table 4-1 Oracle Advanced Security Properties in the Enterprise Manager Properties File

Property Description

oracle.sysman.emRep.dbConn.enableEncryption

Defines whether or not Enterprise Manager will use encryption between Management Service and Management Repository.Possible values are TRUE and FALSE. The default value is FALSE.For example:

oracle.sysman.emRep.dbConn. enableEncryption=true

oracle.net.encryption_client

Defines the Management Service encryption requirement.Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.The default value is REQUESTED. In other words, if the database supports secure connections, then the Management Service uses secure connections, otherwise the Management Service uses insecure connections.

For example:

oracle.net. encryption_client=REQUESTED

oracle.net.encryption_types_client

Defines the different types of encryption algorithms the client supports.Possible values should be listed within parenthesis. The default value is ( DES40C ).

For example:

oracle.net. encryption_types_client=( DES40C )

oracle.net.crypto_checksum_client

Defines the Client's checksum requirements.

Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

The default value is REQUESTED. In other words, if the server supports checksum enabled connections, then the Management Service uses them, otherwise it uses normal connections.

For example:

oracle.net. crypto_checksum_client=REQUESTED

oracle.net.crypto_checksum_types_client

This property defines the different types of checksums algorithms the client supports.

Possible values should be listed within parentheses. The default value is ( MD5 ).

For example:

oracle.net. crypto_checksum_types_client=( MD5 )


4.2.8.3 Enabling Oracle Advanced Security for the Management Repository

To be sure your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available in the Oracle Database 10g documentation library.


See Also:

Oracle Database Advanced Security Administrator's Guide

The following instructions provide an example of how you can confirm that Oracle Advanced Security is enabled for your Management Repository database and its connections with the Management Service:

  1. Locate the sqlnet.ora configuration file in the following directory of the database Oracle Home:

    ORACLE_HOME/network/admin
    
    
  2. Using a text editor, look for the following entries (or similar entries) in the sqlnet.ora file:

    SQLNET.ENCRYPTION_SERVER = REQUESTED
    SQLNET.CRYPTO_SEED = "abcdefg123456789"
    

    See Also:

    "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server Administrator's Guide

  3. Save your changes and exit the text editor.

4.2.8.4 Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database

After you have enabled Oracle Advanced Security for the Management Repository, you must also enable Advanced Security for the Management Agent that is monitoring the Management Repository:

  1. Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Management Agent that is monitoring the Management Repository:

    AGENT_HOME/network/admin (UNIX)
    AGENT_HOME\network\admin (Windows)
    
    
  2. Using a text editor, add the following entry to the sqlnet.ora configuration file:

    SQLNET.CRYPTO_SEED = "abcdefg123456789"
    

    See Also:

    "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in the Oracle Application Server Administrator's Guide

  3. Save your changes and exit the text editor.

  4. Restart the Management Agent.

4.3 Configuring Enterprise Manager for Use with Oracle Application Server Single Sign-On

If you are currently using Oracle Application Server Single Sign-On to control access and authorization for your enterprise, you can extend those capabilities to the Grid Control Console.

By default, when you navigate to the Grid Control Console, Enterprise Manager displays the Enterprise Manager login page. However, you can configure Enterprise Manager so it uses Oracle Application Server Single Sign-On to authorize your Grid Control Console users. Instead of seeing the Enterprise Manager login page, Grid Control Console users will see the standard Oracle Application Server Single Sign-On login page. From the login page, administrators can use their Oracle Application Server Single Sign-On credentials to access the Oracle Enterprise Manager 10g Grid Control Console.


Note:

You can configure Enterprise Manager to either use Oracle Application Server Single Sign-On or the Enterprise User Security features. You cannot use both options at the same time.

The following sections describe how to configure Enterprise Manager as an OracleAS Single Sign-On Partner Application:

4.3.1 Configuring Enterprise Manager to Use the Single Sign-On Logon Page

To configure the Grid Control Console for use with Oracle Application Server Single Sign-On:

  1. Set the ORACLE_HOME environment variables to the Management Service home directory.

    For example:

    $PROMPT> setenv ORACLE_HOME /dev01/oracle/em10g_GridControl
    
    
  2. Change directory to the bin directory of the Management Service Oracle home:

    $PROMPT> cd $ORACLE_HOME/opmn/bin
    
    
  3. Stop the Management Service, the Oracle HTTP Server, and the other components of the application server:

    $PROMPT> ./opmnctl stopall
    
    
  4. Change directory to the bin directory of the Management Service Oracle home:

    $PROMPT> cd $ORACLE_HOME/bin
    
    
  5. Enter the following command at the operating system prompt:

    $PROMPT> ./emctl config oms sso -host ssoHost -port ssoPort -sid ssoSid  -pass ssoPassword -das http://ssohost:port/
    
    

    For example:

    $PROMPT> ./emctl config oms sso -host sshost1.acme.com -port 1521 -sid asdb -pass Ch22x5xt -das http://ssohost1.acme.com:7777
    
    

    Table 4-2 describes the arguments on the emctl config oms sso command line.

    shows the typical output generated by the emctl config oms sso command.

  6. Restart the Management Service, Oracle HTTP Server, and the other application server components:

    $PROMPT> cd $ORACLE_HOME/opmn/bin
    $PROMPT> ./opmnctl startall
    
    
  7. Go the Grid Control Console URL.

    For example:

    http://mgmthost1.acme.com:7777/em
    
    

    The browser is redirected to the standard Single Sign-On Logon page.

Table 4-2 Arguments for the emctl sso Command

Argument Description

-host

The name of the host computer where the Oracle Application Server Single Sign-On server resides. Be sure to use the fully-qualified host name.

-port

The port for the Oracle Application Server Single Sign-On database, for example, 1521.

-sid

The system identifier (SID) for the Oracle Application Server Single Sign-On database.

-pass

The password for the Oracle Application Server Single Sign-On schema (orasso). The orasso schema password is randomized when the Oracle Application Server infrastructure is installed.

To obtain the password, see "Obtaining the Single Sign-On Schema Password" in the Oracle Application Server Single Sign-On Administrator's Guide.

-das

The URL containing the host and port for the Delegated Administration Service (DAS). Generally, the DAS host name and port are the same as the host name and port of the Oracle Application Server Single Sign-On server. For example:

http://mgmthost1.acme.com:7777


Example 4-8 Sample Output of the emctl config oms sso Command

smptest@stamt03 bin]$ ./emctl config oms sso -host 
isunraj29.us.oracle.com -port 1521 -sid orcl -pass W5RB9YD3 -das 
http://isunraj29.us.oracle.com:7777 -u oracle
 
Oracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 
2005 Oracle Corporation.  All rights reserved.
/scratch/smptest/mm9/oms10g/Apache/Apache/conf/httpd.conf has been modified.
/scratch/smptest/mm9/oms10g/sysman/config/emoms.properties has been 
modified.
Registering to SSO server, please wait...
Parameters passed to SSO registration tool :
param0:-oracle_home_path param1:/scratch/smptest/mm9/oms10g param2:-host 
param3:
isunraj29.us.oracle.com param4:-port param5:1521 param6:-sid param7:orcl 
param8:
-schema param9:orasso param10:-pass param11:**** param12:-site_name 
param13:stam
t03.us.oracle.com:4889 param14:-success_url 
param15:http://stamt03.us.oracle.com
:4889/osso_login_success param16:-logout_url 
param17:http://stamt03.us.oracle.co
m:4889/osso_logout_success param18:-cancel_url 
param19:http://stamt03.us.oracle.
com:4889/ param20:-home_url param21:http://stamt03.us.oracle.com:4889/ 
param22:-
config_mod_osso param23:TRUE param24:-u param25:oracle 
param26:-sso_server_versi
on param27:v1.2  -DinstallType=
-DoldOracleHome=
-DoldOHSUser=root
Check /scratch/smptest/mm9/oms10g/sso/log/ssoreg.log for details of this registration
SSO registration tool finished successfully.
Done!

4.3.2 Registering Single Sign-On Users as Enterprise Manager Administrators

After you have configured Enterprise Manager to use the Single Sign-On logon page, you can register any Single Sign-On user as an Enterprise Manager administrator:

  1. Go the Grid Control Console URL.

    For example:

    http://mgmthost1.acme.com:7777/em
    
    

    The browser is redirected to the standard Single Sign-On Logon page.

  2. Enter the credentials for a valid Single Sign-On user.

    If the Single Sign-On user is not an Enterprise Manager administrator, the browser is redirected to a modified version of the Enterprise Manager logon page (Figure 4-4).

  3. Log in to Enterprise Manager as a Super Administrator.

  4. Click Setup and then click Administrators to display the Administrators page.


    See Also:

    "Creating, Editing, and Viewing Administrators" in the Enterprise Manager online help

    Because Enterprise Manager has been configured to use Single Sign-On, the first page in the Create Administrator wizard now offers you the option of creating an administrator based on a registered Oracle Internet Directory user (Figure 4-5).

  5. Select Oracle Internet Directory and advance to the next page in the wizard.

  6. Enter the name and e-mail address of the Oracle Internet Directory user, or click the flashlight icon to search for a user name in the Oracle Internet Directory.

  7. Use the rest of the wizard pages to define the roles, system privileges, and other characteristics of the Enterprise Manager administrator and then click Finish.

    Enterprise Manager displays a summary page that lists the characteristics of the administrator account.

  8. Click Finish to create the new Enterprise Manager administrator.

    The OID user is now included in the list of Enterprise Manager administrators. You can now verify the account by logging out of the Grid Control Console and logging back in using the OID user credentials on the Single Sign-On logon page.

Figure 4-4 Modified Enterprise Manager Logon Page When Configuring SSO

Description of Figure 4-4  follows
Description of "Figure 4-4 Modified Enterprise Manager Logon Page When Configuring SSO"

Figure 4-5 Create Administrator Page When SSO Support Is Enabled

Description of Figure 4-5  follows
Description of "Figure 4-5 Create Administrator Page When SSO Support Is Enabled"

4.3.3 Grid Control as a Single Sign-On Partner Application

The emctl config oms sso command adds the Oracle Enterprise Manager 10g Grid Control Console as an Oracle Application Server Single Sign-On partner application. Partner applications are those applications that have delegated authentication to the Oracle Application Server Single Sign-On Server.

To see the list of partner applications, navigate to the following URL:

http://hostname:port/pls/orasso/orasso.home

For example:

http://ssohost1.acme.com:7777/pls/orasso/orasso.home

4.3.4 Bypassing the Single Sign-On Logon Page

After you configure Enterprise Manager to use the Single Sign-On logon page, you can bypass the Single Sign-On page at any time and go directly to the Enterprise Manager logon page by entering the following URL:

http://hostname.domain:port/em/console/logon/logon

For example:

http://mgmthost1.acme.com:7777/em/console/logon/logon

4.4 Configuring Enterprise Manager for Use with Enterprise User Security

Enterprise User Security enables you to create and store Oracle9i database information as directory objects in an LDAP-compliant directory server. For example, an administrator can create and store enterprise users and roles for the Oracle9i database in the directory, which helps centralize the administration of users and roles across multiple databases.


See Also:

"Enterprise User Security Configuration Tasks and Troubleshooting" in the Oracle Database Advanced Security Administrator's Guide

If you currently use Enterprise User Security for all your Oracle9i databases, you can extend this feature to Enterprise Manager. Configuring Enterprise Manager for use with Enterprise User Security simplifies the process of logging in to database targets you are managing with the Oracle Enterprise Manager 10g Grid Control Console.

To configure Enterprise Manager for use with Enterprise User Security:

  1. Ensure that you have enabled Enterprise User Security for your Oracle Management Repository database, as well as the database targets you will be managing with the Grid Control Console.

  2. Stop the Oracle Management Service.

  3. Change directory to the IAS_HOME/sysman/config directory and open the emoms.properties file with your favorite text editor.

  4. Add the following entry in the emoms.properties file:

    oracle.sysman.emSDK.sec.DirectoryAuthenticationType=EnterpriseUser
    
    
  5. Save and close the emoms.properties file.

  6. Start the Management Service.

The next time you use the Oracle Enterprise Manager 10g Grid Control Console to drill down to a managed database, Enterprise Manager will attempt to connect to the database using Enterprise User Security. If successful, Enterprise Manager will connect you to the database without displaying a login page. If the attempt to use Enterprise User Security fails, Enterprise Manager will prompt you for the database credentials.

4.5 Setting Up the Auditing System for Enterprise Manager

All operations performed by Enterprise Manager users such as creating users, granting privileges, starting a remote job like patching or cloning, need to be audited to ensure compliance with the Sarbanes-Oxley Act of 2002 (SAS 70). This act defines standards an auditor must employ in order to assess the contracted internal controls of a service organization. Auditing an operation enables an administrator to monitor, detect, and investigate problems and enforce enterprise wide security policies.

4.5.1 Audit Data

The following data is audited for all Enterprise Manager operations:

Table 4-3 Common Audit Data

Field Name Description

User Name

The name of the current Enterprise Manager user.

User Type

This can be any of the following:

  • Enterprise Manager User

  • Single Sign On User

  • Enterprise User

  • System User

Client Host Name

The name of the user's host machine.

IP Address

The IP address of the user's host machine.

Operation Code

The type of operation. To see a list of operation codes, refer to Operation Codes.

Operation Description

The operation being audited.

Operation Payload

The payload for the selected operation. For example, if the grant_target_priv operation is to be audited, apart from the common data, the user_name, target_name, target_type, and target_owner will be audited.

Object Name

The operation being performed on an object. Each operation has an operation code and an object associated with it. For example, the create_user operation is associated with user_name object, the submit_job operation has a job name associated with it.

Object Type

Each operation code has an object type associated with it. For example, the create_user operation has the user_type object associated with it, the submit_job operation has a job type (OS command, SQL Script) associated with it.

Object Owner

The owner of the object - job owner, operation owner.

Timestamp

The date and time on which the operation took place.

Client Type

The type of browser (UI) or Terminal (Backend).

Client Session

The nature of the session (HTTP Session, DB Session)

OMS Host Name

The host name of the Oracle Management Service.

OMS Time Zone

The time zone of the Oracle Management Service.

Client Session ID

This can be either the HTTP Session ID or the DBMS Session ID.

Login Time

The time at which the user logged into Enterprise Manager.

Logout Time

The time at which the user logged out of Enterprise Manager.

Login Status

The login status indicating whether the login was successful, failed, or timed out.

Note: The login and logout operations are always audited even if the operation code is turned off.


4.5.2 Operation Codes

Apart from the common audit data, data specific to each operation is also audited. The following table lists the names of operation and their corresponding codes, and additional payloads audited for each operation.

Table 4-4 Operation Specific Data

Operation Name Operation Code Additional Payload

change_password

1

user_name

create_user

2

user_name, time_stamp, user_type

delete_user

3

user_name, time_stamp, user_type

logon / logoff

4 and 5


grant_role

6

user_name

grant_target_priv

7

user_name, target_name, target_type, target_owner

revoke_role

8

user_name

revoke_target_priv

9

user_name, target_name, target_type, target_owner

submit_job

10


edit_job

11


delete_job

12

operation_type

modify_user

14


grant_system_priv

15

user_name

grant_job_priv

16

user_name, job_name, job_type, job_owner

revoke_system_priv

17

user_name

revoke_job_priv

18

user_name, job_name, job_type, job_owner

remote_op

19

step_id, step_status, args, input, remote_command, target_name, target_type, user_name, output

get_file

20

step_id, step_status, dest_file, dest_type, source_file, target_name, target_type, user_name, output

put_file

21

step_id, step_status, dest_file, source_file, source_type, target_name, target_type, user_name, output

file_transfer

22

step_id, step_status, dest_file, dest_target_name, dest_target_type, dest_args, dest_command, dest_user_name, source_file, source_target_name, source_target_type, source_args, source_commands, source_user_name, output

create_role

23


delete_role

24


modify_role

25



4.5.3 Audit APIs

The following APIs allow the administrator (SYSMAN user) to set up the audit function for one or more operations:

  • mgmt_audit_admin.set_audit() - This API sets the AUDIT_LEVL and AUDIT_MODE parameters. The AUDIT_LEVEL parameter can be set to 0, 1 or 2 depending on your requirement.

    • 0 - All operations in Enterprise Manager will be audited.

    • 1 - Only selected operations will be audited. If you select this level, you must turn on the audit function for the operations that are to be audited.

    • 2 - None of the operations will be audited.

    This API also sets the AUDIT_MODE parameter to 0 to store the audited data in the Management Repository.

  • mgmt_audit_admin.set_audit_on() - This API turns on the audit function for specific operation.

  • mgmt_audit_admin.set_audit_off() - This API turns off the audit function for a specific operation.

4.5.4 Configuring the Enterprise Manager Audit System

To set up the audit system in Enterprise Manager:

  1. Make sure that the Oracle Management Service is up and running.

  2. The audit function is turned off by default. Log in to the Enterprise Manager Management Repository as the sysman user. To turn on the audit function, enter the following commands:

    SQL> exec mgmt_audit_admin.set_audit(AUDIT_MODE, null, AUDIT_LEVEL);
    set AUDIT_MODE = 0
    set AUDIT_LEVEL = (0-all, 1-selected, 2-none)
    
    
  3. If the AUDIT_LEVEL is set to 1, the audit function needs to be turned on / off for the specific operations that need to be audited by using the following commands:

    SQL> exec mgmt_audit_admin.set_audit_on(op_code); (Turns on the audit function for the specified operation code.)

    SQL> commit;

    SQL> exec mgmt_audit_admin.set_audit_off (op_code); (Turns off the audit function for the specified operation code. )

    SQL> commit;

    For a list of operation codes, refer to Operation Codes.

  4. After setting the AUDIT_LEVEL, you must restart the Oracle Management Service to ensure that this change has taken effect.

  5. You can then login to Enterprise Manager and create a job or perform other user operations.


Notes:

  • Only the SYSMAN user has execute permissions to the audit data. Other users can only view the data in the MGMT$AUDIT_LOG view if they have the required privileges.

  • The audit data can be viewed from MGMT$AUDIT_LOG view with the following query

    select * from mgmt$audit_log order by op_code, time_stamp;

  • The audit data can be purged by using the following command:

    SQL> exec mgmt_audit_admin.audit_purge(time);

    The time specified here must be in SYSDATE (DD_MMM_YY) format.

    Example: SQL> exec mgmt_audit_admin.audit_purge ('21-SEP-05');


4.6 Configuring the emkey

The emkey is an encryption key that is used to encrypt and decrypt sensitive data in Enterprise Manager such as host passwords, database passwords and others. By default, the emkey is stored in the $ORACLE_HOME/sysman/config/emkey.ora file. The location of this file can be changed.


WARNING:

If the emkey.ora file is lost or corrupted, all the encrypted data in the Management Repository becomes unusable. Maintain a backup copy of this file on another system.


During startup, the Oracle Management Service checks the status of the emkey. If the emkey has been properly configured, it uses it encrypting and decrypting data. If the emkey has not been configured properly, the following error message is displayed.

Example 4-9 emctl start oms Command

$prompt> emctl start omsOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Starting HTTP Server ...Starting Oracle Management Server ...Checking Oracle Management Server Status ...Oracle Management Server is not functioning because of the following reason:The Em Key is not configured properly. Run "emctl status emkey" for more details.

4.6.1 Generating the emkey

The emkey is a random number that is generated during the installation of the Oracle Management Repository and is stored in a table. When the Oracle Management Service is installed, the emkey is copied from the Management Repository to the emkey.ora file and stored in the ORACLE_HOME/sysman/config/ directory of each Oracle Management Service.


WARNING:

After the emkey has been copied, you must remove it from the Management Repository as it is not considered secure. If it is not removed, data such as database passwords, server passwords and other sensitive information can be easily decrypted. To remove the emkey from the Management Repository, enter the following command:

$prompt> emctl config emkey - remove_from_repos


4.6.2 emctl Commands

The emctl commands related to emkey are given below:

  • emctl status key

  • emctl config emkey -repos

  • emctl config emkey -emkeyfile

  • emctl config emkey -emkey

  • emctl config emkey -remove_from_repos

  • emctl config emkey -copy_to_repos

The usage of these commands is given below:

$prompt> emctl status emkey [-sysman_pwd <sysman password>]
$prompt> emctl config emkey -repos [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]

$prompt> emctl config emkey -emkeyfile <emkey.ora path> [-force] [-sysman_pwd <sysman password>]
$prompt> emctl config emkey -emkey [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]
$prompt> emctl config emkey -remove_from_repos [-sysman_pwd <sysman password>]
$prompt> emctl config emkey -copy_to_repos [-sysman_pwd <sysman password>]

4.6.2.1 emctl status emkey

This command shows the health or status of the emkey. Depending on the status of the emkey, the following messages are displayed:

  • When the emkey has been correctly configured in the Management Service but is still present in the Management Repository, the following message is displayed.

    Example 4-10 emctl status emkey - Example 1

    Oracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.The Em Key is configured properly, but is not secure. Secure the Em Key by running "emctl config emkey -remove_from_repos".
    
    
  • When the emkey has been correctly configured in the Management Service and has been removed from the Management Repository, the following message is displayed.

    Example 4-11 emctl status emkey - Example 2

    Oracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.The Em Key is configured properly.
    
    
  • When the emkey.ora file is corrupt or missing and is present in the Management Repository, the following message is displayed.

    Example 4-12 emctl status emkey - Example 3

    Oracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.The Em Key exists in the Management Repository, but is not configured properly or is corrupted in the file system.Configure the Em Key by running "emctl config emkey -repos".
    
    
  • When the emkey.ora file is corrupt or missing and is not present in the Management Repository, the following message is displayed.

    Example 4-13 emctl status emkey - Example 4

    Oracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.The Em Key is not configured properly or is corrupted in the file system and does not exist in the Management Repository. To correct the problem:1) Copy the emkey.ora file from another OMS or backup machine to the OH/sysman/config directory.2) Configure the emkey.ora file by running "emctl config emkey -emkeyfile <emkey.ora file location>".
    

4.6.2.2 emctl config emkey -repos

This command copies the emkey from the Management Repository to the emkey.ora file.

Example 4-14 Sample Output of the emctl config emkey -repos Command

$ emctl config emkey -repos -emkeyfile /tmp/emkey.ora.0 -forceOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Please enter repository password: The Em Key has been configured successfully.

In this example, the emkey is copied from the Management Repository to the /tmp/emkey.ora.0 file. The command configures the oracle.sysman.emkeyfile property in the emoms.properties to point to this file.


Note:

The -force option is required only if the emkey file is already configured.

If the -emkeyfile option is not provided in the Management Repository, the emkey is overwritten to the already configured emkey.ora file.


4.6.2.3 emctl config emkey -emkeyfile

This command can be used to configure a new emkey.ora file.

Example 4-15 Sample Output of emctl config emkey -emkeyfile Command

$ emctl config emkey -emkeyfile /tmp/emkey.ora.1 -forceOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Please enter repository password: The Em Key has been configured successfully.

This command configures the /tmp/emkey.ora.1 file as the new emkey.ora file. It also modifies the oracle.sysman.emkeyfile property in emoms.properties to point to this file. The -force option is required only if the emkey.ora file has already been configured.

4.6.2.4 emctl config emkey -emkey

This command is used to configure a new emkey.

Example 4-16 Sample Output of emctl config emkey -emkey Command

$ emctl config emkey -emkey -emkeyfile /tmp/emkey.ora.2 -forceOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Please enter repository password: Please enter the em key: The Em Key has been configured successfully.

This command writes the emkey provided as standard input into the /tmp/emkey.ora.2 file and configures it. The -force option is required only if the emkey.ora file has already been configured. If the -emkeyfile option is not provided, the emkey is overwritten to the already configured emkey.ora file.

4.6.2.5 emctl config emkey -remove_from_repos

This command removes the emkey from the Management Repository.

Example 4-17 Sample Output of emctl config emkey -remove_from_repos Command

$ emctl config emkey -remove_from_reposOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Please enter repository password: The Em Key has been removed from the Management Repository.Make a backup copy of OH/sysman/config/emkey.ora file and store it on another machine.WARNING: Encrypted data in Enterprise Manager will become unusable if the emkey.ora file is lost or corrupted.

4.6.2.6 emctl config emkey -copy_to_repos

This command copies the emkey back to the Management Repository.

Example 4-18 Sample Output of emctl config emkey_copy_to_repos Command

$ emctl config emkey -copy_to_reposOracle Enterprise Manager 10g Release 10.2.0.0.0  Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.Please enter repository password: The Em Key has been copied to the Management Repository. This operation will cause the Em Key to become unsecure.

Note:

This command is used during the additional Oracle Management Service install (See Section 4.6.3). When you use this command, the emkey will be present in the Management Repository, which is not considered secure. You can secure it after the additional Oracle Management Service install by running the command:emctl config emkey -remove_from_repos

4.6.3 Install and Upgrade Scenarios

This section explains the install and upgrade scenarios for emkey.

4.6.3.1 Installing the Management Repository

A new emkey is generated as a strong random number when the Management Repository is installed.

4.6.3.2 Installing the First Oracle Management Service

When the Oracle Management Service is installed, the installer copies the emkey from the Management Repository and stores it in the emkey.ora file.


Note:

After installation, the emkey will be present in the Management Repository. This is not considered secure. The user can secure the emkey by running the emctl command emctl config emkey -remove_from_repos

4.6.3.3 Installing Additional Oracle Management Service

Similar to the first Oracle Management Service install, the installer will copy the emkey from the Management Repository to the emkey.ora file of the additional Oracle Management Service.


Note:

After the first Oracle Management Service install, you may have removed the emkey from the Management Repository using the emctl command.

Before the additional Oracle Management Service is installed, run the following command from the first Oracle Management Service home to copy the emkey to the Management Repository.

emctl config emkey -copy_to_repos

If the additional Oracle Management Service install is done without the emkey in the Management Repository, the installer will prompt the user to run the command mentioned above.


4.6.3.4 Upgrading from 10.1 to 10.2

The Management Repository is upgraded as usual. When the Oracle Management Service is upgraded, the upgrade script copies the emkey from the Management Repository to the emkey.ora file of each Oracle Management Service.


  • Note:

    After all the Oracle Management Service have been upgraded, you can secure the emkey, that is, remove it from the Management Repository by running the following command:

    emctl config emkey -remove_from_repos


4.6.3.5 Recreating the Management Repository

When the Management Repository is recreated, a new emkey is generated. This new key will not be in synchronization with the existing emkey.ora in the Oracle Management Service home directory. Enter the emctl config emkey -repos -force command to overwrite the new emkey to the emkey.ora file.

4.7 Additional Security Considerations

After you enable security for the Enterprise Manager components and framework, ther'e are additional security considerations. This section provides the following topics:

4.7.1 Responding to Browser-Specific Security Certificate Alerts

This section describes how to respond to browser-specific security alert dialog boxes when you are using Enterprise Manager in a secure environment.

The security alert dialog boxes described in this section should appear only if you have enabled Enterprise Manager Framework Security, but you have not completed the more extensive procedures to secure your Oracle HTTP Server properly.

This section contains the following topics:

4.7.1.1 Responding to the Internet Explorer Security Alert Dialog Box

If you enable security for the Management Service, but do not enable the more extensive security features of your Oracle HTTP Server, you will likely receive a Security Alert dialog box similar to the one shown in Figure 4-6 when you first attempt to display the Grid Control Console using the HTTPS URL in Internet Explorer.


Note:

The instructions in this section apply to Internet Explorer 5.5. The instructions may vary for other supported browsers.

Figure 4-6 Internet Explorer Security Alert Dialog Box

Description of Figure 4-6  follows
Description of "Figure 4-6 Internet Explorer Security Alert Dialog Box"

When Internet Explorer displays the Security Alert dialog box, use the following instructions to install the certificate and avoid viewing this dialog box again in future Enterprise Manager sessions:

  1. In the Security Alert dialog box, click View Certificate.

    Internet Explorer displays the Certificate dialog box.

  2. Click the Certificate Path tab and select the first entry in the list of certificates as shown in Figure 4-7.

  3. Click View Certificate to display a second Certificate dialog box.

  4. Click Install Certificate to display the Certificate Import wizard.

  5. Accept the default settings in the wizard, click Finish when you are done, and then click Yes in the Root Certificate Store dialog box.

    Internet Explorer displays a message box indicating that the Certificate was imported successfully.

  6. Click OK to close each of the security dialog boxes and click Yes on the Security Alert dialog box to continue with your browser session.

    You should no longer receive the Security Alert dialog box in any future connections to Enterprise Manager when you use this browser.

Figure 4-7 Certificate Path Tab on the Internet Explorer Certificate Dialog Box

Description of Figure 4-7  follows
Description of "Figure 4-7 Certificate Path Tab on the Internet Explorer Certificate Dialog Box"

4.7.1.2 Responding to the Netscape Navigator New Site Certificate Dialog Box

If you enable security for the Management Service, but you do not enable the more extensive security features of your Oracle HTTP Server, you will likely receive a New Site Certificate dialog box similar to the one shown in Figure 4-8 when you first attempt to display the Grid Control Console using the HTTPS URL in Netscape Navigator.


Note:

The instructions in this section apply to Netscape Navigator 4.79. The instructions may vary for other supported browsers.

When Netscape Navigator displays the New Site Certificate dialog box, use the following instructions to install the certificate and avoid viewing this dialog box again in future Enterprise Manager sessions:

  1. Review the instructions and information on each wizard page; click Next until you are prompted to accept the certificate.

  2. Select Accept this certificate forever (until it expires) from the list of options.

  3. On the last screen of the wizard, click Finish to close the wizard and continue with your browser session.

    You should no longer receive the New Site Certificate dialog box when using the current browser.

Figure 4-8 Netscape Navigator New Site Certificate Dialog Box

Description of Figure 4-8  follows
Description of "Figure 4-8 Netscape Navigator New Site Certificate Dialog Box"

4.7.1.3 Preventing the Display of the Internet Explorer Security Information Dialog Box

After you enable Security for the Management Service, you may receive a dialog box similar to the one shown in Figure 4-9 whenever you access certain Enterprise Manager pages.


Note:

The instructions in this section apply to Internet Explorer 6.0. The instructions may vary for other supported browsers.

Figure 4-9 Internet Explorer Security Information Dialog Box

Description of Figure 4-9  follows
Description of "Figure 4-9 Internet Explorer Security Information Dialog Box"

To stop this dialog box from displaying:

  1. Select Internet Options from the Internet Explorer Tools menu.

  2. Click the Security tab.

  3. Select Internet and then click Custom Level.

    Internet Explorer displays the Security Settings dialog box.

  4. Scroll down to Miscellaneous settings and enable the Display Mixed Content option.

4.7.2 Configuring Beacons to Monitor Web Applications Over HTTPS

Oracle Beacons provide application performance availability and performance monitoring. They are part of the Application Performance Management features of Enterprise Manager.


See Also:

"About Application Performance Management" in the Enterprise Manager Online Help

When a Beacon is used to monitor a URL over Secure Sockets Layer (SSL) using an HTTPS URL, the Beacon must be configured to recognize the Certificate Authority that has been used by the Web site where that URL resides.


See Also:

"The Public Key Infrastructure Approach to Security" in Oracle Security Overview for an overview of Public Key Infrastructure features, such as Certificate Authorities

The Beacon software is preconfigured to recognize most commercial Certificate Authorities that are likely to be used by a secure Internet Web Site. However, you may encounter Web Sites that, although available over HTTPS, do not have a Certificate that has been signed by a commercial Certificate Authority recognized by the Beacon. The following are out-of-box certificates recognized by Beacons:

  • Class 1 Public Primary Certification Authority by VeriSign, Inc.

  • Class 2 Public Primary Certification Authority by VeriSign, Inc.

  • Class 3 Public Primary Certification Authority by VeriSign, Inc.

  • Secure Server Certification Authority by RSA Data Security, Inc.

  • GTE CyberTrust Root by GTE Corporation

  • GTE CyberTrust Global Root by GTE CyberTrust Solutions, Inc.

  • Entrust.net Secure Server Certification Authority by Entrust.net ((c) 1999

  • Entrust.net Limited, www.entrust.net/CPS incorp. by ref. (limits liab.))

  • Entrust.net Certification Authority (2048) by Entrust.net ((c) 1999

  • Entrust.net Limited, www.entrust.net/CPS_2048 incorp. by ref. (limits liab.))

  • Entrust.net Secure Server Certification Authority by Entrust.net ((c) 2000

  • Entrust.net Limited, www.entrust.net/SSL_CPS incorp. by ref. (limits liab.))

In those cases, for example, if you attempt to use the Test section of the Beacon Performance page to test the HTTP Response of the secure URL, the following error appears in the Status Description column of the Response Metrics table on the URL Test Page:

javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr--https://mgmtsys.acme.com/OracleMyPage.Home


See Also:

"Using Beacons to Monitor Remote URL Availability" in the Enterprise Manager online help

To correct this problem, you must allow the Beacon to recognize the Certificate Authority that was used by the Web Site to support HTTPS. You must add the Certificate of that Certificate Authority to the list of Certificate Authorities recognized by Beacon.

To configure the Beacon to recognize the Certificate Authority:

  1. Obtain the Certificate of the Web Site's Certificate Authority, as follows:

    1. In Microsoft Internet Explorer, connect to the HTTPS URL of the Web Site you are attempting to monitor.

    2. Double-click the lock icon at the bottom of the browser screen, which indicates that you have connected to a secure Web site.

      The browser displays the Certificate dialog box, which describes the Certificate used for this Web site. Other browsers offer a similar mechanism to view the Certificate detail of a Web Site.

    3. Click the Certificate Path tab and select the first entry in the list of certificates as shown in Figure 4-7.

    4. Click View Certificate to display a second Certificate dialog box.

    5. Click the Details tab on the Certificate window.

    6. Click Copy to File to display the Certificate Manager Export wizard.

    7. In the Certificate Manager Export wizard, select Base64 encoded X.509 (.CER) as the format you want to export and save the certificate to a text file with an easily-identifiable name, such as beacon_certificate.cer.

    8. Open the certificate file using a text editor.

      The content of the certificate file will look similar to the content shown in .

  2. Update the list of Beacon Certificate Authorities as follows:

    1. Locate the b64InternetCertificate.txt file in the following directory of Agent Home of the Beacon host:

      agent_home/sysman/config/
      
      

      This file contains a list of Base64 Certificates.

    2. Edit the b64InternetCertificate.txt file and add the contents of the Certificate file you just exported to the end of the file, taking care to include all the Base64 text of the Certificate including the BEGIN and END lines.

  3. Restart the Management Agent.

    After you restart the Management Agent, the Beacon detects your addition to the list of Certificate Authorities recognized by Beacon and you can successfully monitor the availability and performance of the secure Web site URL.

Example 4-19 Sample Content of an Exported Certificate

-----BEGIN CERTIFICATE----- 
MIIDBzCCAnCgAwIBAgIQTs4NcImNY3JAs5edi/5RkTANBgkqhkiG9w0BAQQFADCB
... base64 certificate content...
-----END CERTIFICATE-----

4.8 Other Security Features

This section describes Enterprise Manager security features.

4.8.1 Using ORACLE _HOME Credentials

Oracle Enterprise Manager 10g Release 2 introduces the concept of ORACLE_HOME credentials to designate the owner of the ORACLE_HOME with special credentials for the ORACLE_HOME. The operating system user who installs the software will also need to perform the patching. In Oracle Enterprise Manager 10g Release 2, one can explicitly set the ORACLE_HOME credential and store it in the Management Repository. While patching, the user can use existing operating system credentials or override it under special circumstances. The user can specify ORACLE_HOME credentials and in the same interface choose to store it in the Management Repository for future use.

The Enterprise Manager Command line interface (EM CLI) also provides a facility to set ORACLE_HOME credentials. This is useful in cases where the Super Administrator sets the credentials and the user who initiates the patching job is unaware of the actual credentials. For auditing in security-hardened data centers, the owner of the software is usually different from the user who initiates the patching job. The patching application internally switches the user context to the owner of the software and patches the software. To emulate such a case, the patch administrator will set the ORACLE_HOME credentials to the owner of the ORACLE_HOME. The Grid Control user who executes the patching job will be unaware of the credentials. The patching job will internally execute as the owner of the ORACLE_HOME. Grid Control will audit the patching job and capture the name of the Grid Control user who initiated the job. For example, if the owner of the ORACLE_HOME is "X", the patch super administrator in Grid Control is "Y" and the target administrator in Grid Control is "Y". "Y" will set the ORACLE_HOME credential to "X" with the password, using EMCLI. "Z" will submit the patching job using the already stored preferred credentials. Grid Control will audit the job as submitted by "Z".

The following is an example for setting the Oracle Home credentials using command line:

./emcli set_credential -target_type=host -target_name=val1 -credential_set=OHCreds -column="OHUsername:val2;OHPassword:val3"
-oracle_homes="val4"

where:

val1 = Hostname

val2 = Oracle Home user name

val3 = Oracle Home password

val4 = Oracle Home location

You can also set credentials for multiple Oracle Homes on the same host using the following command:

./emcli set_credential -target_type=host -target_name=val1 -credential_set=OHCreds -column="OHUsername:val2;OHPassword:val3" 
-oracle_homes="val4;val5

where

val1 = Hostname

val2 = Oracle Home user name

val3 = Oracle Home password

val4 = Oracle Home location 1

val5 = Oracle Home location 2


Note:

Only one host can be passed to the verb.* If one wants multiple Oracle Home credentials on multiple hosts, then you will need Shell or Perl script to read lines, one at a time, from a file containing the host, credential values, and home location, and call the emcli set_credential verb for each row in the file.

The emcli set_credential command sets preferred credentials for given users. Table 4-5 describes the input values to the emcli set_credential command.

Table 4-5 emcli set_credential Parameters

Parameter Input Value Description

-target_type

-target_type ="ttype"

Type of target. Must be "host" in case the "-oracle_homes" parameter is specified.

-target_name

[-target_name="tname"]

Name of target. Omit this argument to set enterprise preferred credentials. Must be hostname in case "-oracle_homes" parameter is specified

-credential_set

-credential_set="cred_set"

Credential set affected.

-user

[-user="user"]

Enterprise Manager user whose credentials are affected. If omitted, the current user's credentials are affected.

-columns

-columns="col1:newval1;col2:newval2;..."

The name and new value of the column(s) to set. Every column of the credential set must be specified. Alternatively, a tag from the -input_file argument may be used so that the credential values are not seen on the command line. This argument may be specified more than once.

-input_file

[-input_file="tag1:file_path1;tag2:file_path2;..."]

Path of file that has -columns argument(s). This option is used to hide passwords. Each path must be accompanied by a tag which is referenced in the -columns argument. This argument may be specified more than once.

-oracle_homes

[-oracle_homes="home1;home2"]

Name of Oracle Homes on the target host. Credentials will be added/updated for all specified home


4.8.2 Patching Oracle Homes When the User is Locked

To patch an Oracle Home used by a user "Oracle" and the user is locked:

  1. Edit the default patching script and prepend sudo or sudo -u or pbrun -u to the default patching step. You need to set a policy (by editing the sudoers file) to allow the user submitting the job (who must be a valid operating system user) to be able to run sudo or pbrun without being prompted for password.

4.8.3 Cloning Oracle Homes

The cloning application is wizard-driven. The source of the Oracle Home being cloned may be either an installed Oracle Home or a Software Library. Following are the steps in the cloning process:

  1. If the source is an installed Oracle Home, then, after selecting the Oracle Home, a user will need to specify the Oracle Home credentials. These credentials once specified for an Oracle Home are stored in the repository. The next time a user clones the same Oracle Home, these credentials are automatically populated. Other parameters queried from the user at this point is a temporary location (on the source computer) and the list of files to be excluded from the Oracle Home. If the cloning source is a Software Library, the source Oracle Home credentials will not be queried for.

  2. The user needs to specify the target location and provide the required credentials for each target location. These credentials will be the Oracle Home credentials for each of these target locations. Subsequently, if a user selects any of these cloned Oracle Homes as a source, the Oracle Home credentials are automatically populated.

  3. Depending on the product being cloned, the user can view the Enterprise Manager page where query parameters required for the particular product being cloned are displayed.

  4. The user can, then, view the execution of user-supplied pre-cloning and post-cloning scripts and the root.sh script. The root.sh script will always be run with sudo privileges, but the user has the option to decide if the pre-cloning and post-cloning scripts run with sudo privileges.Finally, the user can schedule the cloning job at a convenient time.

For more information about cloning, refer to the Enterprise Manager Online Help.

4.8.4 Using the sudo Command

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. You need to set a policy (by editing the sudoers file) to allow the user submitting the job (who must be a valid operating system user) to be able to use sudo. For more information, see the manual page on sudo (man sudo) on Unix. Enterprise Manager authenticates the user using sudo, and executes the script as sudo.

For example, if the command to be executed is foo -arg1 -arg2, it will be executed as sudo -S foo -arg1 -arg2.