Additional Security Considerations

After you enable security for the Enterprise Manager components and framework, there are additional security considerations. This section provides the following topics:

■ Changing the SYSMAN and MGMT_VIEW Passwords

■ Responding to Browser-Specific Security Certificate Alerts

2.7.1 Changing the SYSMAN and MGMT_VIEW Passwords

This section describes the commands used to change the SYSMAN and MGMT_VIEW passwords.

2.7.1.1 Changing the SYSMAN User Password

The SYSMAN user account is used by the Oracle Management Server to login into the Oracle Management Repository to store and query all activity. The password is stored encrypted. If the SYSMAN password changes at the OMR it must also be changed at the OMS, to ensure proper functioning of Enterprise Manager Cloud Control for all operations.

Retry Job Disabled

Revoke Privilege Disabled

Revoke Role Disabled

Save Monitoring Settings Disabled Set Privilege Delegation Setting Disabled

Stop Job Disabled

Submit Job Disabled

Subscribe Update Type Disabled

Suppress Violation Disabled

Suspend Job Disabled

Target Login Disabled

Target Logout Disabled

Undeploy Custom Configuration Specification

Disabled

Unsubscribe Update Type Disabled

Unsuppress Violation Disabled

Update Database Password Disabled Update Metric Extension Disabled

Update Password Disabled

Update is available Disabled

Table 2–4 (Cont.) Auditable Events

Event Enabled/Disabled (By Default)

Note: From 12c onwards, directly modifying the password for SYSMAN or any other repository user at the Repository Database is not recommended. Hence, ensure that the passwords are changed only using one of the methods listed below.

If the current SYSMAN password is known 1. Stop all OMS instances running emctl stop oms.

OMS_Home/bin/emctl stop oms

If BIP is configured: Stop BIP on each machine by running OMS_Home/bin/emctl stop oms -bip_only

If JVMD and/or ADP is configured, stop the JVMD/ADP engines:

emctl extended oms jvmd stop –all emctl extended oms adp stop -all

Execute the same command on all the OMS machines including the primary OMS machine. Do not include '-all' as the Admin Server needs to be up during this operation.

2. Modify the SYSMAN password:

cd <OMS_HOME>/bin

emctl config oms -change_repos_pwd [-old_pwd <old_pwd>] [-new_pwd <new_

pwd>] [-use_sys_pwd [-sys_pwd <sys_pwd>]]

emctl config oms -change_repos_pwd'

Command Parameters

Parameter Description

-change_repos_pwd Used to change the SYSMAN password.

-old_pwd This is the current SYSMAN password.

-new_pwd This is the new password.

-use_sys_pwd This parameter is optional and is used to connect to the database as a SYS user. Use this option if SYSMAN account on the database has expired/locked.

-sys_pwd This is the password for the SYS user. Required only if -use_sys_pwd is specified

Command Behavior:

Note:

The above command will prompt you for the current password of the SYSMAN user and the new password.

The password will be modified at the Repository Database and the monitoring credentials for the 'OMS and Repository' target.

Along with the SYSMAN password, this command will modify the password for the EM users (SYSMAN_MDS, BIP, SYSMAN_OPSS, SYSMAN_APM, SYSMAN_RO) created in the Repository Database.

Sample Command Output

emctl config oms -change_repos_pwd

Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved.

Enter Repository User's Current Password : Enter Repository User's New Password : Changing passwords in backend ...

Passwords changed in backend successfully.

Updating repository password in Credential Store...

Successfully updated Repository password in Credential Store.

Restart all the OMSs using 'emctl stop oms -all' and 'emctl start oms'.

Successfully changed repository password.

3. Stop the Admin server on the primary OMS machine and re-start all the OMS:

cd <OMS_HOME>/bin emctl stop oms –all

4. Restart all the Management Services:

cd <OMS_HOME>/bin emctl start oms

If the current SYSMAN password is unknown 1. Stop all the OMS:

cd <OMS_HOME>/bin emctl stop oms

Execute the same command on the primary OMS machine as well. Do not include '-all' as the Admin Server needs to be up during this operation.

2. Modify the SYSMAN password:

cd <OMS_HOME>/bin

emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd <sys user password> -new_pwd <new sysman password>

Note:

The '-use_sys_pwd' is used to connect to the database as a SYS user and modify the SYSMAN password in the Repository database.

The current SYSMAN password is not prompted for and only the new password needs to be entered. This will allow the reset of the old password to the new password entered.

The password will be modified at the Repository Database and the monitoring credentials for the 'OMS and Repository' target.

Along with the SYSMAN password, this command will modify the password for the EM users (SYSMAN_MDS, BIP, SYSMAN_OPSS, SYSMAN_APM, SYSMAN_RO) created in the Repository Database.

3. Stop the Admin server on the primary OMS machine and re-start all the OMS:

cd <OMS_HOME>/bin emctl stop oms -all emctl start oms

2.7.1.2 Changing the MGMT_VIEW User Password

To change the password of the MGMT_VIEW user, you use the following command:

emctl config oms -change_view_user_pwd [-sysman_pwd <sysman_pwd>] [-user_pwd

<user_pwd>] [-auto_generate]

Parameter Description

-change_view_user_pwd Used to change MGMT_VIEW user's password.

-sysman_pwd The password for the SYSMAN user.

-user_pwd The new password for theMGMT_VIEW user.

-auto_generate If this option is specified, the password is auto-generated.

1. Stop all OMSs.

<OMS_HOME>/bin/emctl stop oms

2. On one of the OMSs, run the following command:

<OMS_HOME>/bin/emctl config oms -change_view_user_pwd [-old_pwd <old_

pwd>] [ -new_pwd <new_pwd>]

3. Restart the AdminServer and all the OMSs.

emctl stop oms -all emctl start oms

2.7.2 Responding to Browser-Specific Security Certificate Alerts

When you connect to Enterprise Manager via HTTPS, the Management Service presents your browser with a certificate to verify the identity of the Management Service. This certificate has been verified by a third party that your computer trusts.

When a Web browser encounters an untrusted certificate, it generates security alert

messages. The security alert dialog boxes appear because Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust.

You can choose to ignore the warnings and continue with your Enterprise Manager session, or you can import the CA certificates into the browser's list of trusted "root"

certificates to eliminate the certificate security alerts in future browser sessions.

Third Party Certificate Workflow

The following high-level steps are involved in setting up Enterprise Manager to use third party certificates.

Step 1: Generate a wallet and have it certified by a third party authority such as Entrust, Verisign, Thwate, or DigiCert.

Step 2: Configure the custom wallets to each OMS. For instructions, see Section 2.3.9.1,

"Configuring a Third Party Certificate for HTTPS Console Users"

Step 3: Add the certificate to the browser’s list of trusted root certificates to eliminate

In document Cloud Control Security Guide 12c Release 4 ( ) (Page 136-140)