One key area of concern when it comes to our IT infrastructure, continues to be security, in particular user security. In the Oracle world, this concern exists at all levels from the front-end applications, to the middle tier level we use for deployment, to the back end tier or database layer, to the tools that we use to manage the entire infrastructure. To this end, in Cloud Control, Oracle has introduced some new features, and strengthened some of their existing functionality to help us ensure the security of Oracle’s primary IT infrastructure DBA management toolset.
In my last article, we took a look at two of the key security areas in EM12c, namely Cloud Control Authentication and Cloud Control Authorization. There are two additional sets of features that relate to User Security in Cloud Control, which are Credential Management and Target Authentication. These are the topics of my second article on Managing EM User Security.
Credentials are used to access most of the targets managed in EM12c. In many cases the credentials are a combination of username and password and are encrypted and stored in Enterprise Manager. Starting in 12c the credential system can use basic username/password and also strong authentication methods such as PKI, SSH keys and Kerberos. Additionally, SSH key based host level authentication can also be used for jobs, deployment procedures and in other areas.
Besides connecting to targets such as hosts, application servers and databases, credentials in EM12c can be used to do activities such as metric collection, run jobs, do target management activities (such as starting and stopping), end even connect to My Oracle Support.
The five categories of credentials in 12c Cloud are Named Credentials, Job Credentials, Monitoring Credentials, Collection Credentials and Preferred Credentials.
Named credentials are stored as their own independent objects in EM. Administrators can define and store a credential with an object name and that specific name can then be used to do activities against a target. What is extremely powerful about named credentials is the fact that the user who is accessing a target or running a job using a named credential in EM12c, never actually sees the username and password associated with the named credential.
Setting up named credentials allows an EM user to do a task, without compromising the details behind the named credential they are using. This is one of the strongest features of the new named credential feature in EM12c.
Named credentials are divided into two categories, global and target and they are created by going to the Setup Menu, and then selecting Named Credential.
Global named credentials are not specifically associated with any one EM target. They contain an authentication scheme and the authentication parameters. They can be associated with objects in EM as needed.
Target named credentials are associated with a specific target only, however, they do also consist of the authentication scheme along with the parameters for that target.
There are several rules in EM12c around access for named credentials
- Only the owner of a named credential can grant access to that named credential to other users
- EM Super Administrators cannot get privileges on a new named credential until they are explicitly granted privileges on the named credential
- EM Administrators can’t see the sensitive data in a named credential (such as passwords) from the user interface regardless of their privilege levels
- Credentials cannot be assigned to roles
- An EM Administrator cannot view other administrator credentials unless they have been explicitly granted access to it
- An EM Administrator can create their own named credentials and always have full privileges on the named credentials they own
Named credentials can be granted to other administrators as they are being created or by editing them after they are created.
Also, it must be noted that if an administrator’s account is deleted from EM, all of their named credentials will also be removed. Also, an EM Super Administrator cannot simply re-assign the credentials to another administrator. That is because they are not automatically granted access to any named credentials.
There are several levels of privilege that can be granted on a named credential.
An administrator with view privileges can see the structure of a named credential, but no sensitive information can be seen. The administrator can use the named credential to run jobs, do patching and other activities within EM12c.
An administrator with edit privileges can change sensitive information (such as a password or public/private key pair). They cannot change the Authentication Scheme and they cannot change the user name.
Allows an administrator to change all components of the named credential and also they can delete the named credential.
In EM12c, the job system uses the credential subsystem to get the appropriate information to submit a job to the target. When submitting a job, the administrator can configure the job to use preferred credentials, use named credentials or use new credentials set up for the job.
If a job is set up to use preferred credentials and there are none set up, the job will use the default credentials for that target. If there are also no default credentials or preferred credentials and this choice was selected, the job cannot be submitted.
The monitoring credentials are used by Management Agents on certain targets. The most common example would be database targets. In order to monitor a database there has to be a connection to that database that includes a username, password and generally a role.
Monitoring credentials stored in EM12c can also be used by other applications to connect to the target from the OMS.
Monitoring credentials are also configured via Setup and then Monitoring Credentials.
These are the credentials associated with metric extensions and their precursors, user defined metrics. For many metrics to be collected, analyzed and tested, a connection to the target via credentials is required.
Preferred credentials are used to simplify access to the targets by storing the login credentials for a target in EM. Users can use the preferred credentials to connect to a target without being prompted to log into the target each time they try to access that object. Preferred credentials are set on a per user basis.
There are two kinds of preferred credentials, default and target.
Default credentials are set for a particular target type rather than on a specific target. They are available for all targets of that particular type and will be overridden by any specific target credentials that are created.
Target credentials are the preferred credentials for a specific target. They can be used by the jobs system, notifications, regular connections etc.
For certain targets, in particular hosts, the functionality to do authentication using methods besides username and password has been added to EM12c.
EM12c supports the use of SSH-Key based host authentication as a means of setting up a secure channel between two different systems. This is primarily intended for Linux/Unix based hosts.
Configuring EM to use SSH based authentication when doing management actions allows administrators to leverage all of the security features of SSH in conjunction with all of the functionality of EM. When using SSH, the agent acts as a Java SSH client and uses the username/password as stored in the credentials.
EM stores a private/public key pair for the administrators and lets them view and install the public key on the host targets. After that, jobs can be submitted to the host by submitting them with the stored credential that has the private/public key information. OMS passes the keys to the agent with the job parameters. The agent then calls the Java SSH client and tries to connect to the host. The host OS then authenticates the Java SSH client and the agent can then submit the required actions on the host.
Securing EM User access can even go beyond what’s been discussed here to include Pluggable Authentication Modules to take advantage of tools such as Kerberos, Radius and LDAP.
In conclusion, Administrator authentication and user security is an area in Oracle Enterprise Manager 12c Cloud Control that has been greatly enhanced and provides tools and techniques that can ensure that EM administrators can do their jobs without compromising security.