Additional Security Considerations

After you enable security for the Enterprise Manager components and framework, there are additional security considerations. This section provides the following topics:

Changing Oracle Account Passwords

This section describes the commands used to change the SYSMAN, MGMT_VIEW, and EUS_ENGINE_USER passwords.

Changing the SYSMAN User Password

The SYSMAN user account is used by the Oracle Management Server to login into the Oracle Management Repository to store and query all activity. The password is stored encrypted. If the SYSMAN password changes at the OMR it must also be changed at the OMS, to ensure proper functioning of Enterprise Manager for all operations. This includes other SYSMAN users such as:

  • SYSMAN_STB
  • SYSMAN_TYPES
  • SYSMANUPGR_OPSS

If you have configured Oracle Analytics Server (OAS) for reporting and analytics by using the data from Enterprise Manager, then for steps to change the SYSMAN password, see Update OAS Configuration with SYSMAN Password.

Note:

Directly modifying the password for SYSMAN or any other repository user at the Repository Database is not recommended. Hence, ensure that the passwords are changed only using one of the methods listed below.

If the current SYSMAN password is known

  1. Stop all OMS instances running emctl stop oms.

    OMS_Home/bin/emctl stop oms

    If JVMD and/or ADP is configured, stop the JVMD/ADP engines:

    emctl extended oms jvmd stop –all

    emctl extended oms adp stop -all

    Execute the same command on all the OMS machines including the primary OMS machine. Do not include '-all' as the Admin Server needs to be up during this operation.

  2. Modify the SYSMAN password on all the OMS machines including the primary OMS server:

    cd <OMS_HOME>/bin

    emctl config oms -change_repos_pwd [-old_pwd <old_pwd>] [-new_pwd <new_pwd>] [-use_sys_pwd [-sys_pwd <sys_pwd>]]

    emctl config oms -change_repos_pwd'

    Command Parameters

    Parameter Description

    -change_repos_pwd

    Used to change the SYSMAN password.

    -old_pwd

    This is the current SYSMAN password.

    -new_pwd

    This is the new password.

    -use_sys_pwd

    This parameter is optional and is used to connect to the database as a SYS user. Use this option if SYSMAN account on the database has expired/locked.

    -sys_pwd

    This is the password for the SYS user. Required only if -use_sys_pwd is specified

    Command Behavior:

    Note:

    The above command will prompt you for the current password of the SYSMAN user and the new password.

    The password will be modified at the Repository Database and the monitoring credentials for the 'OMS and Repository' target.

    Along with the SYSMAN password, this command will modify the password for the EM users (SYSMAN_MDS, SYSMAN_OPSS, SYSMAN_APM, SYSMAN_RO) created in the Repository Database.

    Sample Command Output 

    emctl config oms -change_repos_pwd 
Oracle Enterprise Manager 24ai Release 1 
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved. 
Enter Repository User's Current Password : 
Enter Repository User's New Password : 
 
Changing passwords in backend ... 
Passwords changed in backend successfully. 
Updating repository password in Credential Store... 
Successfully updated Repository password in Credential Store. 
Restart all the OMSs using 'emctl stop oms -all' and 'emctl start oms'. 
Successfully changed repository password.
  3. Stop the Admin server on the primary OMS machine and re-start all the OMS:

    cd <OMS_HOME>/bin

    emctl stop oms –all

  4. Restart all the Management Services:

    cd <OMS_HOME>/bin

    emctl start oms

If the current SYSMAN password is unknown

  1. Stop all the OMS:

    cd <OMS_HOME>/bin

    emctl stop oms

    Execute the same command on the primary OMS machine as well. Do not include '-all' as the Admin Server needs to be up during this operation.

    In addition, check and complete the following steps:

    • If JVMD and/or ADP is configured, stop the JVMD/ADP engines:

      emctl extended oms jvmd stop -all

      emctl extended oms adp stop -all

  2. Modify the SYSMAN password on all the OMS machines including the primary OMS server:

    cd <OMS_HOME>/bin

    emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd <sys user password> -new_pwd <new sysman password>

    Note:

    The '-use_sys_pwd' is used to connect to the database as a SYS user and modify the SYSMAN password in the Repository database.

    The current SYSMAN password is not prompted for and only the new password needs to be entered. This will allow the reset of the old password to the new password entered.

    The password will be modified at the Repository Database and the monitoring credentials for the 'OMS and Repository' target.

    Along with the SYSMAN password, this command will modify the password for the EM users (SYSMAN_MDS, SYSMAN_OPSS, SYSMAN_APM, SYSMAN_RO) created in the Repository Database.

  3. Stop the Admin server on the primary OMS machine and re-start all the OMS:

    cd <OMS_HOME>/bin

    emctl stop oms -all

    emctl start oms

Update OAS Configuration with SYSMAN Password

If you have configured Oracle Analytics Server (OAS) for reporting and analytics by using the data from Enterprise Manager, then you must also update OAS with the new password set for SYSMAN user.

  1. Change the SYSMAN password utilized by OAS in the Database Security Model:

    1. Login to OAS as a Super Administrator, either the SYSMAN user or the internal SuperUser, that may have been configured for out-of-band security operations. Navigate to Administration, and under Security Center, click Security Configuration.

      Note:

      When OAS is configured with the Database Security Model, the weblogic user is not a valid user for logging into OAS. Only valid EM users can be used to logged into OAS when configured with the Database Security Model.

    2. Temporarily check the Enable Local SuperUser check box.

      After the site is setup and functioning as required, the local super user can be disabled.

    3. In the Authorization section:

      • Uncheck the Use LDAP check box.
      • Set the Security Model to Oracle Database.
      • Enter the value for the new SYSMAN credentials to be used with Enterprise Manager.
      • Click Apply.

  2. Updating the SYSMAN password in Enterprise Manager. See Changing the SYSMAN User Password.

  3. Restart the OAS server again. Log in to OAS as the SYSMAN user.

  4. Confirm that correct OAS Group Assignments are displayed.

  5. Confirm that all the reports, both live and scheduled, operate as expected.

  6. Disable the OAS Local Super User. Restart the OAS server again.

Changing the MGMT_VIEW User Password

To change the password of the MGMT_VIEW user, you have to use the following command: 

emctl config oms -change_view_user_pwd [-user_pwd <user_pwd>] [-auto_generate]
Parameter Description

-change_view_user_pwd

Used to change MGMT_VIEW user's password.

-user_pwd

The new password for theMGMT_VIEW user.

-auto_generate

If this option is specified, the password is auto-generated.
  1. Stop all OMSs.

    <OMS_HOME>/bin/emctl stop oms

  2. On one of the OMSs, run the following command:

    <OMS_HOME>/bin/emctl config oms -change_view_user_pwd [-old_pwd <old_pwd>] [ -new_pwd <new_pwd>]

  3. Restart the AdminServer and all the OMSs.

    emctl stop oms -all

    emctl start oms

When you change the password of the MGMT_VIEW user by using the emctl command, the monitoring credentials for the Management Service target, which is set to MGMT_VIEW, does not get updated. You have to change the password manually.

  1. Go to the Enterprise Manager Console URL.
  2. Enter the credentials for a valid Single Sign-On user.
  3. From the Setup menu, select Security, and then Monitoring Credentials.
  4. Select the Target Type as Oracle Management Service and click Manage Monitoring Credentials.
  5. In the monitoring credentials page for the Oracle Management Service target type, update the password for MGMT_VIEW manually to the new password and save the changes.
  6. Click Save.

Changing the EUS_ENGINE_USER User Password

To change the password of the EUS_ENGINE_USER user if it's not managed by RUEI, you have to connect to the database using SQL*plus and use the password command:

  1. Open a terminal window and connect to the database:

    $ sqlplus EUS_ENGINE_USER@database

  2. Use the password command:
    SQL> password
    Changing password for EUS_ENGINE_USER
Old password: 
New password: 
Retype new password: 
Password changed

Responding to Browser-Specific Security Certificate Alerts

When you connect to Enterprise Manager via HTTPS, the Management Service presents your browser with a certificate to verify the identity of the Management Service. This certificate has been verified by a third party that your computer trusts. When a Web browser encounters an untrusted certificate, it generates security alert messages. The security alert dialog boxes appear because Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust.

You can choose to ignore the warnings and continue with your Enterprise Manager session, or you can import the CA certificates into the browser's list of trusted "root" certificates to eliminate the certificate security alerts in future browser sessions.

Third Party Certificate Workflow

The following high-level steps are involved in setting up Enterprise Manager to use third party certificates.

  • Step 1: Generate a wallet and have it certified by a third party authority such as Entrust, Verisign, Thwate, or DigiCert.
  • Step 2: Configure the custom wallets to each OMS. For instructions, see Configuring a Third Party Certificate for HTTPS Console Users
  • Step 3: Add the certificate to the browser's list of trusted root certificates to eliminate further browser certificate warnings. The following sections describe how to respond to browser-specific security alert dialog boxes when you are using Enterprise Manager in a secure environment. Note: Step 3 is not required for well-known certificate authorities such as Verisign or Entrus.

Responding to the Internet Explorer Security Alert Dialog Box

Security is enabled by default for the Management Service. However, if you have not enabled the more extensive security features of your web tier, you will likely receive the following warning: "There is a problem with this Web site's security certificate." This occurs because Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust.

When Internet Explorer displays the certificate warning page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

  1. From the certificate warning page, click Continue to this Web site (not recommended).

    Internet Explorer displays a Security Warning dialog.

  2. Click Yes. Internet Explorer may display a Security Alert dialog if you have not selected In the future, do not show this warning. in a previous Internet Explorer session. Click OK to dismiss the dialog.
  3. The Enterprise Manager console logon page displays.
  4. At the top of the browser, click Certificate Error to display the Certificate pop-up.
  5. Click View Certificates. The Certificates dialog appears.
  6. Click the Certificate Path tab and select the first entry in the list of certificates as shown in the following graphic.
  7. Click View Certificate to display a second Certificate dialog box.
  8. Click Install Certificate to display the Certificate Import wizard.
  9. Accept the default settings in the wizard, click Finish when you are done.

    Internet Explorer displays a Security Warning asking if you want to install the certificate. Click Yes. Internet Explorer will display a message stating that the certificate was imported successfully.

  10. Click OK to close each of the security dialog boxes and click Yes on the Security Alert dialog box to continue with your browser session.

    You should no longer receive the Security Alert dialog box in any future connections to Enterprise Manager when you use this browser.

Responding to the Mozilla Firefox New Site Certificate Dialog Box

Firefox will also issue a connection warning when Enterprise Manager's certificate is issued by a Certificate Authority which the browser does not trust. When you first attempt to display the Enterprise Manager console using the HTTPS URL in Mozilla Firefox, you will receive a warning because the connection is untrusted.


graphic shows the connection untrusted message.

When Firefox displays the Untrusted Connection page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

  1. Review the instructions and information. Click I Understand the Risks. Firefox displays additional information and the opportunity to add the certificate.
  2. Click Add Exception... . Firefox displays the Add Security Exception dialog.
  3. Ensure that the Permanently store this exception option is selected.

    You should no longer receive the New Site Certificate dialog box when using the current browser.

  4. Click Confirm Security Exception. The Enterprise Manager console displays.

You will no longer receive the untrusted connection warning in any future connections to Enterprise Manager when you use this browser

Responding to the Google Chrome Security Alert Dialog Box

Google Chrome issues a warning if the security certificate of the Website is not trusted. When you first attempt to display the Enterprise Manager console using the HTTPS URL in Google Chrome, you will receive a warning because the connection is mistrusted.

When Google Chrome displays the Untrusted Connection page, use the following instructions to install the certificate and avoid viewing this page again in future Enterprise Manager sessions:

Note:

Installing a certificate using this method on Google Chrome may still lead to performance degradation. To solve this issue, the best option is to obtain a trusted certificate from a vendor of your choice.

  1. Click on the crossed out lock pad icon on the left hand side of the URL address bar.
  2. Click Certificate Information in the menu.
  3. Select the Certification Path tab.
  4. Select the OMS host name (a red cross icon).
  5. Click View Certificate.
  6. Select the Details tab.
  7. Click Copy to File...
  8. Save the certificate on your Desktop. For example, you can save it as:
    adc1110000.cer
  9. From the Google Chrome menu, go to Tools, click Settings, and then select Show Advanced Settings.
  10. Click Manage Certificates.
  11. Select the Trusted Root Certification Authority tab.
  12. Click Import.

    A wizard guides you through the process of importing the saved certificate.

    A warning window displays a message that the certificate you are importing cannot be verified and asks if you want to continue. Click Yes to proceed.

  13. Check if the saved certificate appears in the Trusted Root Certification Authority table.
  14. Restart the Google Chrome browser and load the Enterprise Manager URL. If the Certificate Error icon is not visible in the address bar, then the certificate is valid and trusted.

Responding to Safari Security Dialog Box

Safari does not support the option to install a certificate individually. To solve this issue, you have to obtain a trusted certificate from a vendor of your choice.