Enabling Security for the Management Repository Database

This section describes how to enable Security for the Oracle Management Repository.

This section includes the following topics:

■ About Oracle Advanced Security and the sqlnet.ora Configuration File

■ Configuring the Management Service to Connect to a Secure Management Repository Database

■ Enabling Oracle Advanced Security for the Management Repository

■ Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database

2.3.6.1 About Oracle Advanced Security and the sqlnet.ora Configuration File

You enable security for the Management Repository by using Oracle Advanced Security. Oracle Advanced Security ensures the security of data transferred to and from an Oracle database.

See Also: Oracle Database Advanced Security Administrator's Guide

To enable Oracle Advanced Security for the Management Repository database, you must make modifications to the sqlnet.ora configuration file. The sqlnet.ora configuration file is used to define various database connection properties, including Oracle Advanced Security parameters.

The sqlnet.ora file is located in the following subdirectory of the Database home:

<OMS_ORACLE_HOME>/network/admin

After you have enabled Security for the Management Repository and the Management Services that communicate with the Management Repository, you must also configure Oracle Advanced Security for the Management Agent by modifying the sqlnet.ora configuration file in the Management Agent home directory.

See Also: "Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database"

It is important that both the Management Service and the Management Repository are configured to use Oracle Advanced Security. Otherwise, errors will occur when the Management Service attempts to connect to the Management Repository. For example, the Management Service might receive the following error:

ORA-12645: Parameter does not exist

To correct this problem, be sure both the Management Service and the Management Repository are configured as described in the following sections.

Note: The procedures in this section describe how to manually modify the sqlnet.ora configuration file to enable Oracle Advanced Security. Alternatively, you can make these modifications using the administration tools described in the Oracle Database Advanced Security Administrator’s Guide.

2.3.6.2 Configuring the Management Service to Connect to a Secure Management Repository Database

If you have enabled Oracle Advanced Security for the Management Service database—or if you plan to enable Oracle Advanced Security for the Management Repository database—use the following procedure to enable Oracle Advanced Security for the Management Service:

1. Stop the Management Service:

<OMS_ORACLE_HOME>/bin/emctl stop oms

2. Set Enterprise Manager operational properties by using the emctl set property command. The following table shows the emoms properties that must be set.

Table 2–2 Oracle Advanced Security Properties in the Enterprise Manager Properties

Property Description

oracle.sysman.emRep.dbConn.enableEncryption Defines whether or not Enterprise Manager will use encryption between the

Management Services and Management Repository.

Possible values are TRUE and FALSE. The default value is TRUE.

For example:

emctl set property -name

'oracle.sysman.emrep.dbConn.enableEncr yption" -value 'true'

oracle.net.encryption_client Defines the Management Service encryption requirement.

Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

IMPORTANT: DO NOT set the encryption_

client property to REQUIRED as this prevents Enterprise Manager from receiving notifications from server generated alerts (such as tablespace full). Currently, Enterprise Manager does not support server generated alerts with the REQUIRED setting; Only the REQUESTED setting is supported.

The default value is REQUESTED. If the database supports secure connections, then the Management Service uses secure connections, otherwise the Management Service uses insecure connections.

For example:

oracle.net.encryption_client=REQUESTED oracle.net.encryption_types_client Defines the different types of encryption

algorithms the client supports.

Possible values should be listed within parenthesis. The default value is ( DES40C ).

For example:

oracle.net.

encryption_types_client=

( DES40C )

oracle.net.crypto_checksum_client Defines the Client's checksum requirements.

Possible values are REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

The default value is REQUESTED. In other words, if the server supports checksum enabled connections, then the Management Service uses them, otherwise it uses normal connections.

For example:

oracle.net.

crypto_checksum_client=REQUESTED

3. Restart the Management Service.

<OMS_ORACLE_HOME>/bin/emctl start oms

2.3.6.3 Enabling Oracle Advanced Security for the Management Repository

To ensure your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available in the Oracle Database documentation library.

See Also: Oracle Database Advanced Security Administrator's Guide

The following instructions provide an example of how you can confirm that Oracle Advanced Security is enabled for your Management Repository database and its connections with the Management Service:

1. Locate the sqlnet.ora configuration file in the following directory of the database Oracle Home:

<OMS_ORACLE_HOME>/network/admin

2. Using a text editor, look for the following entries (or similar entries) in the sqlnet.ora file:

SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.CRYPTO_SEED = "abcdefg123456789"

See Also: "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server 10g Administrator’s Guide.

3. Save your changes and exit the text editor.

2.3.6.4 Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database

After you have enabled Oracle Advanced Security for the Management Repository, you must also enable Advanced Security for the Management Agent that is

monitoring the Management Repository:

1. Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Management Agent that is monitoring the Management Repository:

AGENT_HOME/network/admin (UNIX) AGENT_HOME\network\admin (Windows)

oracle.net.crypto_checksum_types_client This property defines the different types of checksums algorithms the client supports.

Possible values should be listed within parentheses. The default value is ( MD5 ).

For example:

oracle.net.

crypto_checksum_types_client=

( MD5 )

Table 2–2 (Cont.) Oracle Advanced Security Properties in the Enterprise Manager

Property Description

2. Using a text editor, add the following entry to the sqlnet.ora configuration file:

SQLNET.CRYPTO_SEED = "abcdefg123456789"

The SQLNET.CRYPTO_SEED can be any string between 10 to 70 characters.

See Also: "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle Application Server Administrator’s Guide.

3. Save your changes and exit the text editor.

4. Restart the Management Agent.