Table of Contents
- Title and Copyright Information
- Preface
- 1 Security Overview
-
2
Security Features
-
Configuring Authentication
- Supported Authentication Schemes
- Creating a New Administrator
- Deleting an Administrator
- Enterprise User Security Based Authentication
- Oracle Internet Directory (OID)
- Microsoft Active Directory Based Authentication
- External Authorization using External Roles
- Mapping LDAP User Attributes to Enterprise Manager User Attributes
- Changing User Display Names in Enterprise Manager
- Configuring Other LDAP/SSO Providers
- Configuring Enterprise User Security based Authentication
- Restoring to the Default Authentication Method
- Configuring Privileges and Role Authorization
-
Configuring Secure Communication
- About Secure Communication
- Enabling Security for the Oracle Management Service
- Securing the Oracle Management Agent
- Managing Agent Registration Passwords
- Restricting HTTP Access to the Management Service
- Configuring the Management Service and Agents to Connect to a Secure Management Repository and Target Databases
- Custom Configurations
- Secure Communication Setup Tools
- Configuring Third Party Certificates
-
Configuring and Using Target Credentials
-
Credential Subsystem
- Named Credentials
- Privileged Credentials
- Monitoring Credentials
- Preferred Credentials
- Saving Preferred Credentials for Hosts and Oracle Homes
- Saving Preferred Credentials to Access My Oracle Support
- Managing Credentials Using EM CLI
-
Host Authentication Features
- Setting Up SSH Key-based Host Authentication
- Setup Example Session
- Setting Up Host Preferred Credentials Using SSH Key Credentials
- Authenticating host credentials
- Configuring the PAM "emagent" Service
-
Sudo and PowerBroker Support
- Authentication Utility Tools Configuration
- Sudo Configuration
- Powerbroker Configuration
- Privilege Needed for Creating a Privilege Delegation
- Creating a Privilege Delegation
- Setting Privilege Delegation Templates from Cloud Control
- Setting Privilege Delegation via EM CLI
- Testing Privilege Delegation Settings
- Agent Support for PowerBroker
- Starting an Agent Using Sudo or PowerBroker Credentials
- Creating a Privilege Delegation Setting
- Configuring and Testing OCI Credentials
-
Credential Subsystem
- Configuring and Using Cryptograhic Keys
- Configuring and Managing Audit
- Additional Security Considerations
-
Privileged Access Management Integration
- Introduction
- Understanding the User Roles
- Prerequisites
- Configuration
- Configuration of Multi-OMS Environments
- PAM configurations suported in EM
- Typical Use cases
-
Frequently Asked Questions about PAM Integration with Enterprise Manager
- What are the components of a PAM integration script?
- How does Enterprise Manager read errors occurring in the PAM integration script?
- How does the PAM integration script get stored within EM and how does EM handle tamperings of the script?
- How to map the script output to an Enterprise Manager credential object?
- What are the parameters to be passed in the config_cred_provider emcli command?
- What are the available global parameters to be used with the PAM integration feature in EM?
- What are the file permissions to be set on the script to register a PAM provider in EM?
- How to avoid long running times of the PAM integration script?
-
Configuring Authentication
-
3
Keeping Enterprise Manager Secure
-
Guidelines for Secure Infrastructure and Installations
- Secure the Infrastructure and Operating System
- Securing the Oracle Management Repository
- Securing the Oracle Management Agent
- Secure Communication
- Security Console
- Guidelines for SSL Communication
- Guidelines for Authentication
- Guidelines for Authorization
- Guidelines for Auditing
- Guidelines for Managing Target Credentials
- Oracle Enterprise Manager FIPS140-2 Settings
-
Guidelines for Secure Infrastructure and Installations
-
4
Security Best Practices for Database Management in Enterprise Manager
- Database Monitoring User Access
-
Flexible Database Access Control
- Database Management Roles and Responsibilities
- Application DBA Access
- Application Developer Access
- Database Administrator Access
- Pluggable Database Administrator Access
-
Privilege Groups
- Database Application DBA
- Database Application Developer
- Manage Database High Availability Privilege Group
- View Database High Availability Privilege Group
- Manage Database Performance Privilege Group
- View Database Performance Privilege Group
- Manage Database Schema Privilege Group
- View Database Schema Privilege Group
- Manage Database Security Privilege Group
- View Database Security Privilege Group
- Manage Database Storage Privilege Group
- View Database Storage Privilege Group
- Secured Communication (TCPS) Access to Databases
- Kerberos and RADIUS Authentication
- Account Management
- Oracle Enterprise Manager Support for TDE-Enabled Oracle Databases
- 5 Troubleshooting
- 6 References
-
A
Out-of-Box Roles
- EM_ALL_ADMINISTRATOR
- EM_ALL_DESIGNER
- EM_ALL_OPERATOR
- EM_ALL_VIEWER
- EM_ALL_VIEWER
- EM_CLOUD_ADMINISTRATOR
- EM_COMPLIANCE_DESIGNER
- EM_COMPLIANCE_OFFICER
- EM_CPA_ADMIN
- EM_HOST_DISCOVERY_OPERATOR
- EM_INFRASTRUCTURE_ADMIN
- EM_PATCH_ADMINISTRATOR
- EM_PATCH_DESIGNER
- EM_PATCH_OPERATOR
- EM_PLUGIN_AGENT_ADMIN
- EM_PLUGIN_OMS_ADMIN
- EM_PLUGIN_OMS_ADMIN
- EM_PROVISIONING_DESIGNER
- EM_PROVISIONING_OPERATOR
- EM_SSA_ADMINISTRATOR
- EM_SSA_USER
- EM_TARGET_DISCOVERY_OPERATOR
- EM_TC_DESIGNER
- EM_USER
- PUBLIC
- B User Access to Database Targets without SYSDBA Privileges
- C Privileges
- D Audit Operations
- E Configure TLSv1.2 for Communication with the Enterprise Manager Repository
- F Add a New Security Certificate
- Index