Guidelines for Secure Infrastructure and Installations

Securing your Oracle Enterprise Manager deployment involves securing all layers of the stack starting with the underlying operating system (OS) on which the OMS and Repository reside all the way up to the Enterprise Manager components themselves. These recommendations will increase overall security as well as prevent certain DoS attacks.

Secure the Infrastructure and Operating System

Harden the machines themselves by removing all unsecure services such as rsh, rlogin, telnet, and rexec on Linux platform (for the list of unsecure services and how to remove them on different platforms, please refer to the CIS benchmarks). It is also recommended to stop non-essential services, this minimizes the ‘attack footprint' of the host and reduces resource consumption by services that are not required, freeing up system resources to deliver the best performance from the OMS.

Restrict OS access by supporting only indirect or impersonation-based access to all Oracle Homes by using utilities such as sudo or PowerBroker. Protect the WebLogic Server Home directory, especially the domain directory which contains configuration files, security files, log files and other Java EE resources for the WebLogic domain. Grant only one OS user who runs WebLogic Server the access privilege to the directory.

Ensure that all the Oracle Homes are patched with the latest CPU (Critical Patch Update). This is a recommended best practice for securing the Oracle Management Service, Repository, Agents and managed targets. Setup your My Oracle Support credentials to detect new Security Alerts and CPUs from the Patch Advisor. With the default Security Recommendations for Oracle Products compliance standard, when a target is missing the latest Security patches, a compliance standard violation will be triggered. In addition, the Secure Configuration for Host should be associated to the hosts of the OMS and Repository. There are additional compliance standards for Database and WLS that can be applied depending on your level of security. Review the Oracle Enterprise Manager Administrator's Guide section on Compliance for more information on available compliance standards and how to associate targets.

The OMS runs on top of the Oracle WebLogic Server. Most of the best practices for securing Oracle WebLogic Server are applicable for securing the OMS as well. Refer to the Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server section Securing Oracle WebLogic Server for additional information.

Ensure that the OMS, Repository and Agent are monitored for filesystem space. The OMS writes a lot of information to log and trace files, and proper space needs to be available for successful operation and troubleshooting. The Agent also relies on filesystem space for log and trace files as well as collecting target metrics.

Best Practices for Securing the Infrastructure and Operating System

Remove unsecure services and stop non-essential services on all infrastructure components
Restrict OS access and protect critical files and directories
Apply latest OS security patches
Adhere to security Compliance Standards and apply latest Oracle CPU patches to all components (OMS, Repository and Agent)
Monitor filesystem space for OMS, Repository and Agent

Securing the Oracle Management Repository

In addition to the above recommendations, steps are necessary to secure the Oracle Management Repository. Since the Oracle Management Repository resides within an Oracle database, a number of the best practices for securing the Oracle database itself are applicable to securing the Repository as well. For best practices on Oracle database security, please refer to the Oracle Database Security Checklist.

The above document also covers certain Operating System level steps that need to be performed to secure the database. Following are additional recommendations to be implemented in the Enterprise Manager deployment.

Enable Advanced Security Option

Enable Advanced Security Option (ASO) between the OMS and Repository to ensure that the data between the OMS and Repository is secure both from confidentiality and integrity standpoints. In addition to the ASO configuration required on the Repository database, you will need to configure the OMS and Agent to connect to a secure Repository database. The detailed instructions for implementing ASO for Enterprise Manager can be found in the Enterprise Manager Security section of the Oracle Enterprise Manager Administrator's Guide.

Please refer to the Oracle Database Advanced Security Administrator's Guide to obtain detailed information about ASO.

Restrict Network Access

Restrict network access to the host on which the Repository resides by putting the repository database behind a firewall and checking network IP addresses. The Listener should be configured to accept requests only from OMS nodes by adding the following parameters into TNS_ADMIN/protocol.ora file:

tcp.validnode_checking =YES
tcp.excluded_nodes = (list of IP addresses)
tcp.invited_nodes = (list of IP addresses), list all OMS nodes here)

The first parameter turns on the feature whereas the latter parameters respectively deny and allow specific client IP addresses from making connections to the Oracle listener. Please refer to the Secure the Network Connection section of the Oracle Database Security Guide for more information.

Audit SYS actions

Audit all SYS (schema) operations at the database level by setting AUDIT_SYS_OPERATIONS = TRUE.

Use the operating system syslog audit trail to minimize the risk that a privileged user, such as a database administrator, can modify or delete audit records stored in an operation system trail if the database version of Repository is 10gR2 or after.

For 10gR2 DB, refer to the Auditing documentation to obtain more information about syslog audit trail.
For 11g DB, set AUDIT_SYS_LEVEL initialization parameter appropriately to use syslog audit trail. Refer to the 11g documentation for details.

Securing User Accounts

Users should log in to the Console with their own individual accounts, and not use the SYSMAN user. SYSMAN is the schema owner and is more privileged than Enterprise Manager Super Administrators. Multiple users should be granted Super Administrator to reduce the need for SYSMAN access. One strong reason for creating multiple Super Administrator accounts is to ensure one user maintains account access in case another user becomes locked out by a dictionary/brute force attack. The Super Administrator privilege should be limited to users who truly need all the permissions that Super Administrator gives them.

In some cases, you may wish to prevent SYSMAN from logging into the console by executing the following SQL statement on the Repository database as the SYSMAN user:

UPDATE MGMT_CREATED_USERS 
SET SYSTEM_USER='-1' 
WHERE user_name='SYSMAN'

After disabling SYSMAN from logging into console, you can enable it by executing:

UPDATE MGMT_CREATED_USERS 
SET SYSTEM_USER='1' 
WHERE user_name='SYSMAN'

Use password profiles to enforce the password control of Enterprise Manager Administrators while Repository-based authentication is used. There is an out-of-box password profile MGMT_ADMIN_USER_PROFILE with the following parameter settings for Enterprise Manager Administrators:

FAILED_LOGIN_ATTEMPTS=10
PASSWORD_LIFE_TIME=180
PASSWORD_REUSE_TIME=UNLIMITED
PASSWORD_REUSE_MAX=UNLIMITED
PASSWORD_LOCK_TIME=1
PASSWORD_GRACE_TIME=7
PASSWORD_VERIFY_FUNCTION=MGMT_PASS_VERIFY

The out-of-box password verification function MGMT_PASS_VERIFY will ensure that the password cannot be same as username, its minimum length is 8, and it must have at least one alphabet, digit and punctuation character. You can create customized password profiles with different values to meet your special requirements, for example, a new password verification function to meet a stricter password complexity requirement.

Change SYSMAN and MGMT_VIEW users' password on a regular basis using only the method documented in the Security section of the Oracle Enterprise Manager Administrator's Guide. The documented command (update_db_password()) helps you change the SYSMAN related passwords in the OMS and in the repository database. If you do not execute this command properly, the OMS may fail to start due to inconsistent passwords for one of the many accounts. You will be prompted for the old and new SYSMAN passwords.

When changing the MGMT_VIEW password, you can select -auto_generate to generate a random password that no one will know. The MGMT_VIEW password is used only by the Reporting system and should not be used for login, therefore the auto_generate flag can ensure the password is not known.

To avoid the service interruption due to the lockout of internal users, SYSMAN and MGMT_VIEW users are associated with MGMT_INTERNAL_USER_PROFILE upon install. The password parameters are all set to UNLIMITED. In addition, to avoid sessions hanging or taking a long time due to resource consumption limit, MGMT_INTERNAL_USER_PROFILE's kernel parameters are set to default, which is unlimited as well.

Secure and Backup the Encryption Key

The Encryption Key is the master key that is used to encrypt/decrypt sensitive data, such as passwords and preferred credentials, stored in the Repository. The key itself is originally stored in the Repository and removed automatically once the installation is done. It only needs to be in the Repository during an upgrade. By storing the key separately from the Enterprise Manager schema, we ensure that the sensitive data such as Preferred Credentials remain inaccessible to the schema owner and other SYSDBA users (privileged users who can perform maintenance tasks on the database). Keeping the key outside of the Enterprise Manager schema will ensure that sensitive data remain inaccessible while Repository backups are accessed. Further, the Enterprise Manager schema owner (SYSMAN) should not have access to the OMS Oracle Homes to prevent reading or overwriting the emkey. See the Oracle Enterprise Manager Administrator's Guide for more detailed information about Enterprise Manager's Cryptographic Support and the emkey. Follow the process outlined below to secure the encryption key.

Backup the encryption key to a file by running the following command and keep the encryption file on a separate machine securely, restrict access to only the OMS software owner. If the encryption key is lost or corrupted, the encrypted data in the repository is unusable.

$ emctl config emkey –copy_to_file_from_credstore –emkey_file emkey.ora

The encryption key is required to be in the Repository for some operations such as Enterprise Manager patches and upgrades.

Remove the key from the Repository once the operation is done.

$ emctl config emkey –remove_from_repos

Best Practices for Securing the Oracle Management Repository

Enable Advanced Security Option on the Repository database and configure OMS and Agent
Restrict network access to known targets
Grant Super Administrator privilege to select administrators and do not log in with SYSMAN account
Enable strong password profiles and change application related account passwords regularly
Secure and backup the encryption key

Securing the Oracle Management Agent

For better security during agent installation, agents should be deployed using Enterprise Manager Enterprise Manager's Agent Deploy which uses the secure SSH protocol. When manually deploying Agents, to protect against the possibility of users installing unauthorized agents, use one-time registration passwords that have a reasonable expiry date instead of persistent registration passwords. Registration passwords can be created in the Console or by using the emctl secure setpwd command.

Install the agent as a separate user from OMS installation and support only impersonation based access to this account such as sudo or PowerBroker post installation to prevent unauthorized changes.

Secure Communication

There are several ways to secure the communication between OMS and agent, including firewalls, the OMS secure-lock feature, enabling TLSv1, enabling strong cipher suites and certificates. The following section looks at these in more detail.

Best Practices for Securing the Oracle Management Agent

Utilize the Enterprise Manager Agent Deployment method for Agent installations.
Use a one-time registration passwords with expiry dates
Install the Agent as a separate user from OMS or Targets

Note:

Agents on remote servers need to be installed as a separate OS user of the targets on that server, however, this does not apply to chained Agents. A chained Agent cannot be installed as a separate user because it gets installed along with the OMS.

Enable ICMP

Enterprise Manager uses the industry-standard Internet Control Message Protocol (ICMP) echo request to check status of target host machines if the agent has not uploaded or responded in a timely fashion or at expected intervals. If ICMP is disabled, the target will appear to be down. Firewall should be configured to allow ICMP to prevent false down target alerts.

A Beacon is a target that allows the Management Agent to remotely monitor services. A Beacon can monitor one or more services at any point in time. ICMP and User Datagram Protocol (UDP) are also used to transfer data between Beacon targets that allow an Agent to monitor services and the network components you are monitoring. If there is a firewall or ACL between the Web application components and the Beacons you use to monitor those components, you must configure it to allow ICMP, UDP, and HTTP traffic.

Configure Oracle Management Agent for Firewalls

When the host where the agent resides is protected by a firewall, you need to configure the agent to use a proxy, or configure the firewall to allow incoming communication from the OMS. To configure the firewall you must determine the port assigned to the agent and whether communication is HTTP or HTPS. You can find this information by running emctl status agent.

To configure the proxy set the following properties using the Enterprise Manager Console to edit the Agent properties or emctl setproperty agent and restart the agent. The proxy realm, user and password may not be required in all environments.

$ emctl setproperty agent -name REPOSITORY_PROXYHOST -value test01.example.com 
$ emctl setproperty agent -name REPOSITORY_PROXYPORT -value 80 
$ emctl setproperty agent -name REPOSITORY_PROXYREALM –value <value if needed> 
$ emctl setproperty agent -name REPOSITORY_PROXYUSER –value <value if needed> 
$ emctl setproperty agent -name REPOSITORY_PROXYPWD –value <value if needed>

Configure Oracle Management Service for Firewalls

In cases where the Oracle Management Service is behind a firewall, configurations will be needed to allow proxy communications to the agents or incoming communication through the firewall.

If the agents that are behind the firewall are in different domains, you can configure the proxy to allow communication for those agents and use the dontProxyFor parameter to identify the agents within the firewall. To configure the proxy on the Management Service set the following properties using emctl set property. The proxy realm, user and password may not be required in all environments.

$ emctl set property -name REPOSITORY_PROXYHOST -value test01.example.com 
$ emctl set property -name proxyPort -value 80 
$ emctl set property -name dontProxyFor –value ".example.com"

To configure the firewall to allow inbound communication from the agents for metric uploads, the firewall must be configured to accept HTTP/HTTPS traffic on the upload ports. The default ports are 4889 (HTTP) and 1159 (HTTPS). If your ports were customized you'll need to use those ports.

If there is a firewall between your browser and the Enterprise Manager Console, you must configure firewall to allow the console to receive HTTP/HTTPS traffic over port 7788/7799 (defaults). You can validate your port by looking at the URL you access the Console with.

https://test01.example.com:7799/em

Additional component installations such as JVMD and APD have additional port requirements. Default ports are 9702/9703 (http/https). For more information please see the documentation specific to the component.

To manage the database targets that are configured behind firewalls, you must allow Oracle Net traffic on the listener ports (typically 1521 but often customized). For more information regarding configuring Oracle Databases for firewalls see the Oracle Database 2 Day + Security Guide.

Security Console

The Security Console is available to Super Administrators only and provides all security related configuration information in one location, allowing you to view, analyze, and optimize security for your managed environment. To access the Security Console, from the Setup menu, select Security, and then Security Console.

When the Security Console first displays, it is divided into two main windows, the menu window on the left hand side and the information window on the right hand side.

The Security Console contains both static (text) and dynamic information. The text is to provide quick, high level context to the data, it is not intended as a replacement to your documentation.

The Security Console is categorized into the following security areas:

Overview

The overview section gives a high level description of each of the Security Console categories.

Pluggable Authentication

The Pluggable Authentication section is further divided into two tabs, an Overview tab and a Configuration tab.

Pluggable Authentication Overview

The Overview section contains text from the documentation, however, it is not meant as a replacement for the documentation. Enterprise Manager Authentication is the process of determining the validity of the user attempting to access Enterprise Manager. The authentication feature is available across the different interfaces such as the Enterprise Manager console and the Enterprise Manager Command Line Interface (EM CLI). Oracle Enterprise Manager relies on the WebLogic Server for external Authentication methods. For this reason, Enterprise Manager can be authenticated using any authentication method supported by Oracle WebLogic Server.

This section also identifies the Authentication schemes supported by Enterprise Manager, for more information please see Security Features, Configuring Authentication.

Pluggable Authentication Configuration

This section displays the current configuration information in your enterprise relating to Authentication.

Authentication Configuration

Authentication Mode: This parameter provides information on the various pluggable authentication schemes configured in your Enterprise Manager environment.

External User Support Enabled: Displays if you have external user authentication enabled. If using any authentication other than repository authentication, this will display yes.

Auto-provisioning supported: The status of auto-provisioning is also displayed. Auto-provisioning allows for an externally authenticated user to log into Enterprise Manager without being pre-configured within Enterprise Manager and the information is transferred from the authentication application. It requires that the OMS property oracle.sysman.core.security.auth.autoprovisioning be set. See Security Features and External Authorization using External Roles.

Password Profile

When creating an Administrator (go to Setup, select Security, click Administrators menu), you enter the type of password profile you want that user to use during login. This table gives a count of the number of users in Enterprise Manager which have been assigned the various password profiles. For more information on password profiles, see Securing User Accounts.

Fine-grained Access Control

Enterprise Manager implements granular privileges to control access to targets, and other resources, allowing administrators to better segregate their duties. For example, consider the provisioning designer and provisioning operator job responsibilities. The former has greater responsibilities (creates components in the Software Library) than the latter (submits deployments). Fine-grained access control explains the privileges and roles and how they serve to provide various levels of access control to different applications, groups, services and targets within Enterprise Manager. Information about the Administrators last login to the system, their number of privileges and roles granted and recommendations on best practices relating to appropriate usage of roles and privileges can be found in this section.

The Fine-grained Access Control area is divided into five tabs, An Overview, Administrators tab, Privileges tab, Roles tab and Privilege Propagation Aggregates tab.

Overview

Giving the same level of access to all systems to all administrators is dangerous, but individually granting access to tens, hundreds, or even thousands of targets to every new member of the group is time consuming. With Enterprise Manager's administrator privileges and roles feature, this task can be performed within seconds, instead of hours. Authorization controls the access to the secure resources managed by Enterprise Manager via system, target, and object level privileges and roles.

This section describes Enterprise Manager's Authorization model including user classes, roles, and privileges assigned to each user class. The following topics are described:

Classes of Users
Privileges and Roles

Classes of Users

Oracle Enterprise Manager supports different classes of Oracle users, depending upon the environment you are managing and the context in which you are using Oracle Enterprise Manager. There are three administrator access categories:

Super Administrator: Powerful Enterprise Manager administrator with full access privileges to all targets and administrator accounts within the Enterprise Manager environment. The Super Administrator, SYSMAN is created by default when Enterprise Manager is installed.The super administrator account can manage all other administrator accounts and set up all administrator credentials. The super administrator can:
- Create Enterprise Manager privileges and roles
- Perform the initial setup of Enterprise Manager, for example, defining e-mail configurations and defining global notifications rules
- Add targets to Enterprise Manager
- Perform any action on any target in the system
Administrator Regular Enterprise Manager administrator.
Repository Owner Database administrator for the Management Repository. This account cannot be modified, duplicated, or deleted.

Privileges and Roles

User privileges provide a basic level of security in Enterprise Manager. Privileges can be divided into two categories: Target Privileges and Resource Privileges

A role is a collection of Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. These roles can be based upon geographic location (for example, a role for Canadian administrators to manage Canadian systems), line of business (for example, a role for administrators of the human resource systems or the sales systems), or any other model.

Out-of-Box Roles

Enterprise Manager comes with predefined roles to manage a wide variety of resource and target types.
External Roles

Enterprise Manager can be integrated with external authorization source like Active Directory by defining External roles.
Private Role
- Secure privileges like FULL_CREDENTIAL,FULL_JOB etc which are not granted to Super Administrators by default, can be granted to a private role.
- Private roles can not be converted into System Roles. Creator of a private role handles the life cycle of it.
- Private roles can be granted to administrators 'WITH_ADMIN' option from Enterprise Manage command line interface (EMCLI) which will enable administrators to grantor revoke private roles to/from other administrators.

Fine-grained Access Control Administrators

This lists all the Administrators current created in Enterprise Manager, and also lists the date and time in which they last logged in.

Fine-grained Access Control Privileges

This lists the top five administrators with the number of privileges directly granted to them. Administrators with high numbers of privileges indicate an inefficient use of privileges and should be directed to use roles instead. It is recommended that an Administrator be granted the minimum number of privileges necessary to perform their task. For more information on privileges and roles, see Managing Privileges with Privilege Propagating Groups.

This section also displays all the target and resource privileges available in Enterprise Manager, whether the privilege can be applied to a single target, a specific target, a target type and if that privilege contains another privilege.

Fine-grained Access Control Roles

This section allows us to view the top 5 Administrators with the Highest Number of Roles, if the number of role grants is high, it points to an inefficient role hierarchy, suggesting that roles could be combined for efficient manageability.

Roles with the Highest Number of Nested Roles can also be displayed here.

Fine-grained Access Control Privilege Propagation in Aggregates

An aggregate target is a target that consists of one or more member targets, such as groups and systems. Enterprise Manager support two type of aggregate targets based on privilege propagation mechanism:

Normal aggregate target - If any privilege is granted on aggregate target, only view privilege will be propagated to its members
Privilege Propagating aggregate target - If any privilege is granted on aggregate target then the same privilege will be propagated to its members

The following features are supported in case of target privileges on Aggregate Targets:

Separation between the privilege grants on aggregate target and its members
Along with the default existing behavior of propagating the same privilege on members, User can choose to have one privilege grant on aggregate target and another on its members. User can also choose to have no privilege on members.
In case of non privilege propagating aggregate targets by default only view will be granted to the members where as in case of privilege propagating aggregate targets whatever privilege is specified by the administrator that will be granted appropriately.
This feature is available from User and Role management pages as well as Target Access page in the user interface. On these pages, click Advanced Privilege Settings on top of Target Privileges table to see the advanced privileges in the table.
EM CLI support is also available for this new feature. Check EM CLI help for existing relevant verbs for more details on the usage.

Consider the following snapshot of the target privileges for a given administrator:

Privileges listed under column Manage Target Privilege Grants are applicable to the Group as well as the members.
Privileges listed under column Manage Aggregate Only Privilege Grants are applicable only on the Group.
Privileges listed under column Manage Member Only Privilege Grants are applicable only on the members.

In the following example, PPG_DB_group1 is a privilege propagating group of database targets. PPG_HOST_group2 is a privilege propagating group of host targets. NORMAL_group1 is a non-privilege propagating group.

Name	Type	Manage Target Privilege Grants	Manage Aggregate Only Privilege Grants	Manage Member Only Privilege Grants
PPG_DB_group1	Group	View	Configure Target	Blackout Target
PPG_HOST_group2	Group	None	Configure Target	None
NORMAL_group1	Group	None	Blackout Target	View
NORMAL_group1	Host	Host	Not Applicable	Not Applicable

Consider the first row in the above table. This configuration means that the given user has View privilege on group PPG_group1 as well as the members. Along with that it has Configure Target privilege only on the group PPG_group1 and Blackout Target privilege only on members. This means that the current user in the picture can create Blackout on the members of group PPG_group1 but cannot do so on the group itself and it can configure PPG_group1 but cannot configure the members. The user has View on group as well as the members.
Consider the second row.PPG_HOST_group2 is a privilege propagating group. This configuration means that the given user has Configure Target privilege only on the group PPG_group2 and it does not have even View on members.
In the third row one can see a non privilege propagating group where the user is having Blackout Target privilege on the group and View privilege on the members.
Note that the two new advanced privileges column values are not applicable in case of non aggregate target like host target.

Note that the above mentioned feature is applicable to all Aggregate Targets in general. The above example shows one of Aggregate Target type (Group).

Secure Communication

This section provides a high-level overview of Secure Communication terms and protocols used within Enterprise Manager. You can also view the current status of secured Enterprise Manager components, their certificate issuers, and details.

Secure Communication Overview

Enterprise Manager Framework Security implements the following types of secure connections between the Enterprise Manager components:

HTTPS and Public Key Infrastructure (PKI) components, including signed digital certificates, for communications between the Management Service and the Management Agents.
Oracle Advanced Security for communications between the Management Service and the Management Repository.

Enabling Security for the Oracle Management Service

To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms utility, performs the following actions:

Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Agents.
Modifies your WebTier to enable HTTPS channel between your Management Service and Management Agent.
Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.

Securing the Oracle Management Agent

When you install the Management Agent on a host, you must identify the Management Service that will be used by the Management Agent. To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent utility.

Restricting HTTP Access to the Management Service

It is important that only secure Management Agent installations that use the Management Service HTTPS channel are able to upload data to your Management Repository and Enterprise Manager console is accessible via HTTPS only.

Managing Agent Registration Passwords

Enterprise Manager uses the Agent Registration password to validate that installations of Oracle Management Agents are authorized to load their data into the Oracle Management Service.

The Agent Registration password is created during installation when security is enabled for the Oracle Management Service. You can add/edit/delete registration passwords directly from the Enterprise Manager console.

Enabling Security for the Management Repository Database

You enable security for the Management Repository by using Oracle Advanced Security.

Secure Communication Current Configuration

Agent Certificate Details: Displays secured agents along with their certificate details, including the algorithm, its strength, when it was created, when it expires and when the agent was secured.

Number of Unsecured Agents: Indicates the number of Agents in your enterprise that are currently operating unsecured.

Number of Expired Registration Passwords: Indicates the number of Agents which have stopped running due to an expired certificate.

Certificate Authority Details: Lists the certificates being used in your Enterprise Manager installation.

OMS Secure Configuration: Details the Enterprise Manager configuration and communication with the Management Services and indicates the secure configuration details of each, including the console and upload certificate details along with the SLB details.

Database Encryption Configuration

Following are the configuration details about encryption between the OMS and Management Repository/Target Database. The list of encryption algorithms and the checksum algorithms that the client supports are mentioned below. For more details refer to the section "Enabling Security for the Management Repository Database" above.

Encryption Algorithms Supported: Lists all the encryption algorithm details supported.
Encryption Algorithm In Use: Lists the current Algorithm being used.
Checksum Algorithm Supported: Lists the check-up Algorithm currently supported (Only SHA(x) is supported).
Checksum Algorithm in use: Lists the Algorithm currently in use.

Credentials Management

Credentials like user names and passwords are typically required to access targets such as databases, application servers, and hosts. Credentials are encrypted and stored in Enterprise Manager. The credential subsystem supports, in addition to basic username-password, strong authentication schemes such as PKI, SSH keys and Kerberos. SSH key based host authentication, used by jobs, deployment procedures and other Enterprise Manger subsystems, is now supported.

By using appropriate credentials, you can:

Collect metrics in the background as well as real-time
Perform jobs such as backup, patching, and cloning
Perform real-time target administration such as start, and stop
Connect to My Oracle Support

Based on their usage, credentials can be classified into the following categories:

Named Credentials
Monitoring Credentials
Preferred Credentials

Credentials Management Current Configuration

Encryption Key: The Encryption Key is the master key that is used to encrypt/decrypt sensitive data, such as passwords and preferred credentials that are stored in the Repository. The key is originally stored in the Repository and is removed from the Repository and copied to the Fusion Middleware managed Credential Store during installation of the first OMS.

Credentials Management Usage Statistics

The Usage Statistics tab provides credential usage information.

Comprehensive Auditing

Comprehensive Auditing shows the current auditable operations and whether they have been configured for external backup to disk. Statistics on the top five most used operations are also displayed, as well as the most active Administrators.

All operations performed by Enterprise Manager administrators, such as creating users, granting privileges, starting a remote job like patching or cloning, need to be audited to ensure compliance with the contracted internal controls of a service organization.

Non-repudiation is the central tenet of auditing. Enterprise Manager Comprehensive auditing provides a tamper-free audit trial of all critical operations.

From the Usage tab, you can view:

Current Auditing Configuration
Specific Audit Operations
Audit Usage Statistics (Top 5 Operations in the last 7 days and Top 5 Administrators in the last 7 days)

Active User Session Count

Active User Session Count shows information related to the session management, such as session timeout, max and active sessions per user count.

All authenticated open user sessions can be viewed from this area.

From the Active User Session Count area, you can view:

Session Settings (Session Timeout, Maximum Number of Sessions Allowed Per User, Permitted Number of Active Sessions )
Active Sessions

Best Practices Analysis

Based on observations of information in the above categories, best practices advice is indicated in this section and covers areas such as management of the repository encryption key and auditing operations management. You can quickly view Enterprise Manager security configuration adherence to recommended Oracle security protocols. In addition, suggested best practices are provided based on the specifics of your Enterprise Manager environment.

From the Best Practices Analysis area, you can view:

Pluggable Authentication: Best practice advice tailored to the pluggable authentication scheme of your environment.
Fine-grained Access Control: Best practice advice pertaining to role and privilege management.
Secure Communication: Best practices regarding secure communication between the Management Service, Agent, and Enterprise Manager console.