0% found this document useful (0 votes)

41 views112 pages

Ops Center Security Overview 12c Release 3

Uploaded by

serge

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views112 pages

Ops Center Security Overview 12c Release 3

Uploaded by

serge

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Oracle® Enterprise Manager Ops Center

Security
12c Release 3 ([Link].0)
E59968-03

June 2016
Oracle Enterprise Manager Ops Center Security, 12c Release 3 ([Link].0)

E59968-03

Primary Author: Krithika Gangadhar

This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on
behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are
"commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-
specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the
programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications.
It is not developed or intended for use in any inherently dangerous applications, including applications that
may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you
shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its
safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron,
the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services unless
otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates
will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents

Preface ................................................................................................................................................................. v
Audience ........................................................................................................................................................ v
Related Documents....................................................................................................................................... v
Conventions................................................................................................................................................... v

1 Overview
Overview of the Architecture ................................................................................................................. 1-1
About the Knowledge Base (KB) and Package Repository ........................................................ 1-1
About the Enterprise Controller..................................................................................................... 1-2
About the Proxy Controller ............................................................................................................ 1-2
About the Agent Controllers .......................................................................................................... 1-2
About the Database .......................................................................................................................... 1-2
Security of the Architecture ............................................................................................................ 1-3
About Authentication Between the Proxy Controller and Agents ........................................... 1-3
General Principles of Security................................................................................................................. 1-5
About Keeping Software Up To Date............................................................................................ 1-5
About Restricting Network Access................................................................................................ 1-5
About the Principle of Least Privilege........................................................................................... 1-6
About Monitoring System Activity ............................................................................................. 1-23

2 Secure Installation and Configuration

Planning the Deployment........................................................................................................................ 2-1
About High Availability.................................................................................................................. 2-1
Overview of Network Configuration............................................................................................ 2-2
About Infrastructure and Operating Systems.............................................................................. 2-3
About Storage Configuration ......................................................................................................... 2-3
About a Remote Database ............................................................................................................... 2-4
Typical Deployment......................................................................................................................... 2-5
Installing Oracle Enterprise Manager Ops Center............................................................................... 2-5
About Controlling Access ............................................................................................................... 2-6
About Substituting CA Certificates for the Default Certificates ............................................... 2-6
Obtaining a Certificate Authority's Certificate ............................................................................ 2-7

iii
Viewing the Enterprise Controller's Truststore and Keystore................................................... 2-7
About CA Certificate Expiration.................................................................................................... 2-8
Verify a Certificate's Expiration Date ............................................................................................ 2-8
Replace the Certificate for the Enterprise Controller .................................................................. 2-8
Replace the Certificate for the Proxy Controller........................................................................ 2-12
Substituting Certificates for the Glassfish Web Container....................................................... 2-16
Replace the Certificate for the Apache UCE Container ............................................................ 2-18
About Installing a Remote Proxy Controller Securely.............................................................. 2-20
Configuring Oracle Enterprise Manager Ops Center........................................................................ 2-20
About the Connection Mode ........................................................................................................ 2-21
Disable Multiple Logins ................................................................................................................ 2-22
About Securing the Log Files........................................................................................................ 2-23
About Database Credentials ......................................................................................................... 2-24
Disable the Domain Model Navigator ........................................................................................ 2-28
Enable the Domain Model Navigator on the Enterprise Controller....................................... 2-29
Using the Domain Model Navigator ........................................................................................... 2-29
Secure the Agents ........................................................................................................................... 2-30
About Securing the Browsers ....................................................................................................... 2-31
About Strong Cipher Encryption ................................................................................................. 2-31
Transport Layer Security (TLS) .................................................................................................... 2-32
Viewing the Enterprise Controller's Configuration........................................................................... 2-34
About Editing the Configuration ......................................................................................................... 2-34
Access to Database Data ........................................................................................................................ 2-35
Viewing Core Product Data Using Oracle SQL Developer...................................................... 2-35
Viewing Core Product Data Using SQL*Plus ............................................................................ 2-39

3 Security Features
Configuring and Using Authentication................................................................................................. 3-1
About Identity Management for Users ......................................................................................... 3-1
Credentials for My Oracle Support ............................................................................................... 3-5
Credentials for IAAS and Cloud Deployments ........................................................................... 3-5
About Authorization ................................................................................................................................ 3-5
About Credentials for Assets.......................................................................................................... 3-6
About Certificates........................................................................................................................... 3-25
Configuring and Using Access Control .............................................................................................. 3-25
Verifying Security of Session Cookies......................................................................................... 3-25
Setting the Expiration Time for Sessions .................................................................................... 3-26
Removing Code Examples ............................................................................................................ 3-26
Configuring and Using Data Protection.............................................................................................. 3-26
Using an NFS Server ...................................................................................................................... 3-26
About Backing Up and Restoring the Enterprise Controller ................................................... 3-27

Index

iv
Preface

The Oracle Enterprise Manager Ops Center Security Guide describes good practices for
managing security of Oracle Enterprise Manager Ops Center deployments.

Audience
This document is intended for system administrators who are responsible for planning
the configuration of the software or deploying the software.

Related Documents
For more information, see the Oracle Enterprise Manager Ops Center documentation
library at [Link]
Oracle Enterprise Manager Ops Center provides online Help. Click Help at the top-
right corner of any page in the user interface to display the online help window.

Conventions
The following text conventions are used in this document:

Convention Meaning
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.

monospace Monospace type indicates commands, file names, and directories

within a paragraph, and code in examples.

v
1
Overview

Describes the product’s purpose.

Oracle Enterprise Manager Ops Center is a data center management solution for
managing both hardware and software from one console. This document presents
good practices for managing the security of Oracle Enterprise Manager Ops Center
deployments.

Overview of the Architecture

Describes the components on the product’s solution.
The Oracle Enterprise Manager Ops Center software has a distributed architecture
with a single master controller (Enterprise Controller) and multiple controllers (Proxy
Controllers). Each Proxy Controller connects either to multiple Agent Controllers
hosted on an Operating System instance or to managed systems or to both. Figure 1-1
shows a deployment with one Proxy Controller, which can be located on the same
system as the Enterprise Controller.

Figure 1-1 Basic Deployment

About the Knowledge Base (KB) and Package Repository

Describes the components of the product architecture that store images for operating
systems.
The Knowledge Base is the repository for metadata about Oracle Solaris 10-8 and
Linux OS components, which resides on Oracle's website. Oracle Enterprise Manager
Ops Center can connect to the Knowledge Base through the Internet to obtain OS
updates and updates to the product software itself. In a similar way, the Enterprise
Controller can get access to the Oracle Solaris 11 Package Repository for updates to
components of Oracle Solaris 11.

Overview 1-1
Overview of the Architecture

About the Enterprise Controller

Describes the role of the Enterprise Controller in the product architecture.
The Enterprise Controller is the central server for Oracle Enterprise Manager Ops
Center and there is only one Enterprise Controller in each installation. The Enterprise
Controller stores firmware and OS images, plans, profiles, and policies. The Enterprise
Controller also stores the asset data and site customizations in a database and hosts
the web container for the user interface components. The Enterprise Controller
handles all user authentication and authorization. All operations are initiated from the
Enterprise Controller.
Although the Enterprise Controller stores firmware and OS images, these images are
not included in a backup of the Enterprise Controller. As a good practice, create the
software library for OS images on networked storage (NAS). Then include the
network storage device in your site's backup plan.

About the Proxy Controller

Describes the role of the Proxy Controller in the product architecture.
A Proxy Controller links the managed assets to the Enterprise Controller and acts for
the Enterprise Controller in operations that must be located close to managed assets,
such as OS provisioning. The Proxy Controller provides fan-out capabilities to
minimize network load and to support complex network topologies. The Proxy
Controller also contains the logic for agent-less monitoring and management of
hardware.

About the Agent Controllers

Description of the role of the Agent.
An Agent is lightweight Java software that represents and manages an OS asset or OS
instance and responds to requests from a Proxy Controller. Hardware management
does not require an agent. The Agent receives the command from the Proxy
Controller, performs the required action, and reports results to the Proxy Controller.
An agent never communicates directly with the Enterprise Controller and does not
initiate operations.
To manage operating systems using agents, an Oracle SE Java Runtime Environment
is required. Non-Oracle versions work initially but might exhibit performance and
memory issues.
You can choose to manage operating systems without an agent by providing
credentials but some product features are not available. See Using Agent
Management for Operating Systems in the Oracle Enterprise Manager Operate
Reference for more information about Agent Controllers.

About the Database

Describes the types of databases used in the product.
The Enterprise Controller uses an Oracle Database 12c Enterprise Edition or Oracle
Database 11g Enterprise Edition database to store Enterprise Manager Ops Center
data. The database can be local or remote:

• The local database is embedded in the Enterprise Controller, created during

product installation.

1-2 Security
Overview of the Architecture

• A remote database is a new or existing customer-managed database.

Oracle Enterprise Manager Ops Center provides utilities to help you manage the local
database, migrate your data from a local database to a customer-managed database,
back up and recover the database schema, and change database credentials.

Security of the Architecture

Description of the locations in the architecture that need to be secured.
For a secure deployment, each communication direction must be protected. Use the
procedures in Table 1-1 to secure each connection.

Table 1-1 Secure Connections

Connection To Make Secure

From Internet to the Enterprise About Restricting Network Access
Controller About the Connection Mode

Between Enterprise Controller and About Database Credentials

database

Between Enterprise Controller and ‘To Add a Directory Server

LDAP server

Between Enterprise Controller and the Verify that a firewall does not separate the
NFS server Enterprise Controller and the NFS server.
Verify that the NFS server uses the NFSv4 protocol.

Between Enterprise Controller and Configure a reverse SSH tunnel when you install
remote Proxy Controllers the product software. This option is described in
the Oracle Enterprise Manager Ops Center Installation
for Oracle Solaris Operating System and the Oracle
Enterprise Manager Ops Center Installation for Linux
Operating Systems

Between Proxy Controller and assets Authentication is configured when the asset is
discovered and managed as described in About
Authentication Between the Proxy Controller and
Agents

About Authentication Between the Proxy Controller and Agents

Description of the relationship between Proxy Controllers and Agent Controllers.
In the normal operation of the product, various Proxy Controllers make requests for
asset data or status and receive the response from each asset. For each transaction, the
Proxy Controller must authenticate the asset and each asset must authenticate the
Proxy Controller, as described in this section.
For an agentless-managed asset, authentication requires an SSH password as
described in About Credentials for Assets. An alternative procedure for an OS asset
that does not require a password is to install a token manually, also described in that
section.

About Authentication of Agent-Managed Asset

Describes the result of installing an Agent Controller on an asset.

Overview 1-3
Overview of the Architecture

For an agent-managed asset, authentication is configured when the asset is discovered

and managed. The Enterprise Controller installs an agent controller on the asset. This
triggers two actions:

• Authentication of the Agent

• Authentication of the Proxy Controller

Overview of the Authentication of the Agent

Describes the process of how a Proxy Controller authenticates an Agent Controller.

1. Agent creates a public/private key pair

2. Agent saves the key pair in /var/opt/sun/xvm/persistence/scn-agent/

[Link]
Only the root user can read the agent properties file.

3. Agent sends the public key to the Enterprise Controller (through its Proxy
Controller)

4. Enterprise Controller creates a unique client registration ID for this agent.

5. Enterprise Controller saves the public key and the client registration ID together
in the database

6. Enterprise Controller sends the client registration ID to the agent,

7. Agent saves the client registration ID in t/var/opt/sun/xvm/persistence/

scn-agent/[Link] file.

Overview of the Authentication of the Proxy Controller

Describes the process of how an Agent Controller authenticates a Proxy Controller.

1. Proxy Controller's server-side certificate was prompted to the agent as part of the
handshake.

2. Agent accepts the certificate.

3. Agent saves the certificate locally in /var/opt/sun/xvm/security/jsse/

scn-agent/truststore

About Authenticated Transactions

Description of the authentication process
When an agent gets an inquiry:

1. Proxy Controller's web server sends its certificate to the agent.

2. Agent confirms this certificate with the already-accepted certificate saved

in /var/opt/sun/xvm/security/jsse/scn-agent/truststore. This is
the handshake.
If the agent does not confirm the Proxy Controller's certificate, the handshake fails. No
data is sent. This protects against an interloper.
When an agent responds to an inquiry:

1. Agent creates a string from the client reg ID and the private key. The string is its
signature

1-4 Security
General Principles of Security

2. Agent sends an HTTPS POST of the signature and the requested data to the Proxy
Controller.

3. Proxy Controller retrieves the public key for the agent's client reg ID from the
database.

4. Proxy Controller verifies that the message's signature was created from the
private key that matches the public key.
If the Proxy Controller detects that the message's private key does not match the
public key, the Proxy Controller does not allow the connection. This protects against
an entity misrepresenting itself as the agent.

General Principles of Security

Lists good security practices
This section describes the principles fundamental to using the software securely:

Topics

• About Keeping Software Up To Date

• About Restricting Network Access

• About the Principle of Least Privilege

• About Monitoring System Activity

About Keeping Software Up To Date

Description of a good practice for security.
Good security is maintained when all software versions and patches are current. This
document discusses Oracle Enterprise Manager Ops Center version 12c Release 3
([Link].0). As new versions or updates of Oracle Enterprise Manager Ops Center
become available, install the new software as soon as possible.

About Restricting Network Access

Describes how a firewall adds security to the product architecture.
Firewalls restrict access to systems to a specific network route that can be monitored
and controlled. When firewalls are used in combination, they create a DMZ, a term for
a subnetwork that controls access from an untrusted network to the trusted network.
Using firewalls to create a DMZ provide two essential functions:

• Blocks traffic types that are known to be illegal.

• Contains any intrusion that attempts to take over processes or processors.

In your deployment, design an environment that locates the Enterprise Controller's
system in a DMZ, that is, with a firewall between the system and the Internet and a
firewall between the system and the corporate intranet, as in Figure 1-2. This type of
environment allows the Enterprise Controller to get access to the Internet to perform
operations while in Connected mode, and restricts access to assets to only those
operations that manage the assets. When the Enterprise Controller is in Disconnected
mode, it operates without access to the Internet.

Overview 1-5
General Principles of Security

Figure 1-2 Firewalls Restrict Access to Enterprise Controller

If your data center includes remote Proxy Controllers, use firewalls between the
Enterprise Controller's system and the Proxy Controllers' systems.
To use Oracle Enterprise Manager Ops Center in Connected mode, use a firewall
between the Enterprise Controller and the Internet.
To configure the firewalls, see Oracle Enterprise Manager Ops Center Ports and Protocols
for information about required URLs, ports, and protocol information.

About the Principle of Least Privilege

Describes the method of securing user access.
The principle of least privilege states that users are given the lowest level of
permissions to perform their tasks. Granting roles or privileges in excess of a user's
responsibilities leaves a system open for non-compliance. Review privileges
periodically to determine whether they remain appropriate for each user's current job
responsibilities.
You give each user a set of roles, which determine the tasks the user can and cannot
perform, and a set of privileges which specify the assets, networks, or other objects to
which the user's roles apply. This gives you fine-grained control of the actions that
users can take.

Role Requirement for Tasks

Lists the role needed to perform each task.
Table 1-2 shows the permission needed to perform each action. Oracle Enterprise
Manager Ops Center groups permissions into roles and assigns one or more roles to a
user account. Table 1-3 shows the permissions granted by each role.

Table 1-2 Tasks and Permissions

Tasks Permission
Read Access Read Access

1-6 Security
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
Add Assets Discover Assets
Find Assets

Manage Assets Manage Assets

Delete Assets

Create Group Asset Group Management

Edit Group
Add Assets to Group
Delete Group

New Update OS Job Update

Deploy or Update Software
Compare System Catalog
Create Catalog Snapshot
View and Modify Catalog

New Simulated OS Update Job Update Simulation

Configure and Deploy Server Server Deployment

Install Server
Configure RAID

Add or delete storage Virtualization Guest Management

Assign or detach network
Start Guest
Shut Down Guest
Migrate Guest
Clone Guest
Lifecycle actions

Assign Incidents Fault Management

Add Annotation to incidents
Acknowledge incidents
Take Actions on Incidents
Mark Incidents as Repaired
Close Incidents
Delete Notifications
Take Actions on Notification

Update Management Credentials Credential Management

Any Actions related to changing credentials

Edit Network Domain Network Management

Edit Network Attributes
Edit Network Services

Fabric Management Fabric Management

Overview 1-7
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
Import ISO Storage Management
Upload image
Edit Attributes

Create reports Report Management

Delete reports

Create, delete, and modify profiles and plans Plan/Profile Management

Create/Update/Delete Instance Cloud Usage

Attach/Detach Volume to Instance
Create/Delete/Update Security Group
Create/Update/Delete Volume
Upload/Register/Delete templates
Create/RollbackTo/Delete Snapshot
Shutdown All servers
Link/Launch OVAB

Create/Delete/Update Cloud Cloud Management

Create/Delete/Update Cloud Domain
Create Public Security Group
Share Public Security Group
Create VM Instance Type

Manage Enterprise Controller Enterprise Controller Management

Unconfigure/Uninstall Proxy Controller Proxy Controller Management

Configure Agent Controller
Unconfigure Agent Controller
DHCP configuration
Subnets
External DHCP Servers

Configure/Connect Cloud Control Management

Disconnect/Unconfigure
Cloud Control Console

Unconfigure Windows Update Management

SCCM Configuration

Add Users User Management

Remove Users

Assign Roles Role Management

Asset Management Asset Management

Write Access Write Access

1-8 Security
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
Open Service Request Service Request

Power On Power Management

Power Off
Power on with Net Boot
Set Power Policy

Chassis Management Chassis Management

Storage Server Management Storage Server Management

Launch Switch UI Switch Management

Reset Servers Server Management

Reset Service Processors
Refresh
Locator Light On/Off
Snapshot Bios Configuration
Update Bios Configuration

Reboot Operating System Management

Upgrade Agent Controller

Cluster Management Cluster Management

Aggregate Links Link Aggregation

IPMP Groups IPMP Groups

Update Firmware Update Firmware

Upgrade Proxy Controller Proxy Controller Upgrade

Execute Operation Operation Execution

Unconfigure Enterprise Controller Unconfigure EC

Add Product Alias Add Product Alias

Upgrade Enterprise Controller EC Upgrade

Set Enterprise Controller Storage Library EC Storage Library Management

Configure Local Agent EC Local Agent Management

Unconfigure Local Agent

Proxy Deployment Wizard EC Proxy Management

Set up Connection Mode EC Connection Mode Management

Register Enterprise Controller EC Registration

Change HTTP Proxy EC HTTP Proxy Management

Overview 1-9
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
Edit Energy Cost EC Energy Cost Management

Ops Center Downloads Ops Center Downloads

Activate Boot Env and Reboot Boot Environment Management

Create New Boot Env.
Synchronize Boot Env.

Create Server Pool Server Pool Creation

Delete Server Pool Server Pool Deletion

Rebalance Resource Server Pool Management

Edit Server Pool Attribute
Attach Network to Server Pool
Associate Library to Server Pool
Add/Remove Virtual Host

Create OVM virtual Servers Server Pool Usage

Create zone servers
Create Logical Domains

Create Virtualization Host Virtualization Host Creation

Delete Virtualization Host Virtualization Host Deletion

Add/Remove Virtual Host to/from Server Pool Virtualization Host Management

Edit Tags
Edit Attributes
Reboot
Change Routing Configuration
Change NFS4 Domain
Change Naming Service
Change Remote Logging Configuration

Create Logical Domains Virtualization Host Usage

Create zones
Create OVM virtual servers

Create Logical Domains Virtualization Guest Creation

Create zones
Create OVM virtual servers

Delete Logic Domain Virtualization Guest Deletion

Delete Zones
Delete OVM Virtual Servers.

1-10 Security
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
Start Guest Virtualization Guest Usage
Shutdown Guest
Migrate Guest
Clone Guest

Create Library Storage Creation

Delete Library Storage Deletion

Associate Library Storage Usage

Create Network Domain Network Creation

Create Network

Delete Network Domain Network Deletion

Delete Network

Assign Network Network Usage

Connect Guests

Create Fabric Fabric Creation

Delete Fabric Fabric Deletion

Fabric Management Fabric Usage

Chassis Usage Chassis Usage

Storage Server Usage Storage Server Usage

Switch Usage Switch Usage

Launch LOM Controller Server Usage

Edit Tags

Edit Tags Operating System Usage

Edit Attributes

Create Rack Rack Creation

Directory Server Management Directory Server Management

Power Distribution Unit Usage Power Distribution Unit Usage

Power Distribution Unit Management Power Distribution Unit Management

Rack Creation Rack Creation

Rack Deletion Rack Deletion

Rack Management Rack Management

Rack Usage Rack Usage

Overview 1-11
General Principles of Security

Table 1-2 (Cont.) Tasks and Permissions

Tasks Permission
OVM Manager Usage OVM Manager Usage

OVM Manager Management OVM Manager Management

Network Domain Creation Network Domain Creation

Network Domain Deletion Network Domain Deletion

Network Domain Management Network Domain Management

Network Domain Usage Network Domain Usage

Asset Network Management Asset Network Management

Job Management Job Management

Table 1-3 Roles and Permissions

1-12 Security
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Asset Admin Asset Group Management
Asset Management
Asset Network Management
Boot Environment Management
Chassis Management
Chassis Usage
Cluster Management
Discover Assets
IPMP Groups
Link Aggregation
Manage Assets
Network Management
Operating System Management
Operating System Usage
Power Distribution Unit Management
Power Distribution Unit Usage
Power Management
Rack Creation
Rack Deletion
Rack Management
Rack Usage
Read Access
Server Management
Server Usage
Service Request
Storage Server Management
Storage Server Usage
Switch Management
Switch Usage
Write Access

Overview 1-13
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Cloud Admin Asset Management
Asset Network Management
Cloud Management
Cloud Usage
Fabric Creation
Fabric Deletion
Fabric Management
Fabric Usage
IPMP Groups
Link Aggregation
Manage Assets
Network Creation
Network Deletion
Network Domain Creation
Network Domain Deletion
Network Domain Management
Network Domain Usage
Network Management
Network Usage
Operating System Management
Operating System Usage
OVM Manager Management
OVM Manager Usage
Profile Plan Management
Read Access
Role Management
Server Management
Server Pool Management
Server Pool Usage
Server Usage
Storage Management
Storage Server Management
Storage Server Usage
Storage Usage
Switch Management
Switch Usage
Virtualization Guest Creation
Virtualization Guest Deletion
Virtualization Guest Management
Virtualization Guest Usage
Virtualization Host Management
Virtualization Host Usage
Write Access

1-14 Security
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Cloud User Asset Management
Asset Network Management
Cloud Usage
Fabric Creation
Fabric Deletion
Fabric Usage
Manage Assets
Network Creation
Network Deletion
Network Domain Management
Network Domain Usage
Network Management
Network Usage
Operating System Management
Operating System Usage
OVM Manager Usage
Read Access
Server Pool Usage
Server Usage
Storage Management
Storage Server Usage
Storage Usage
Switch Usage
Virtualization Guest Creation
Virtualization Guest Deletion
Virtualization Guest Management
Virtualization Guest Usage
Virtualization Host Management
Virtualization Host Usage
Write Access

Overview 1-15
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Exalogic Systems Admin Asset Management
Credential Management
Directory Server Management
EC Energy Cost Management
EC HTTP Proxy Management
EC Registration
Fabric Creation
Fabric Deletion
Fabric Management
Fabric Usage
Job Management
Link Aggregation
Network Creation
Network Deletion
Network Domain Creation
Network Domain Deletion
Network Domain Management
Network Domain Usage
Network Management
Network Usage
Operating System Management
Operating System Usage
Operation Execution
OVM Manager Management
OVM Manager Usage
Power Distribution Unit Management
Power Distribution Unit Usage
Profile Plan Management
Proxy Controller Management
Read Access
Report Management
Role Management
Server Deployment
Server Management
Server Usage
Service Request
Storage Creation
Storage Deletion
Storage Management
Storage Server Management
Storage Server Usage
Storage Usage
Switch Usage
Update Firmware
User Management
Write Access
1-16 Security
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Fault Admin Fault Management
Read Access
Write Access

Overview 1-17
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Ops Center Admin Add Product Alias
Discover Assets
EC Connection Mode Management
EC Energy Cost Management
EC HTTP Proxy Management
EC Local Agent Management
EC Proxy Management
EC Registration
EC Storage Library Management
EC Upgrade
Enterprise Controller Management
Cloud Control Management
Job Management
Manage Assets
Ops Center Downloads
OVM Manager Management
OVM Manager Usage
Proxy Controller Management
Proxy Controller Upgrade
Read Access
Unconfigure EC
Windows Update Management
Write Access

Plan/Profile Admin Plan/Profile Management

Read Access
Write Access

Read Read Access

Report Admin Read Access

Report Management
Update Simulation
Write Access

Role Management Admin Read Access

Role Management
Write Access

Security Admin Credential Management

Read Access
Write Access

1-18 Security
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Apply Deployment Plans Operation Execution
Read Access
Server Deployment
Update Firmware
Write Access

Storage Admin Asset Management

Read Access
Storage Creation
Storage Deletion
Storage Management
Storage Server Management
Storage Server Usage
Storage Usage
Write Access

Overview 1-19
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
SuperCluster Systems Asset Management
Admin Cluster Management
Credential Management
Directory Server Management
EC Energy Cost Management
EC HTTP Proxy Management
EC Registration
Fabric Creation
Fabric Deletion
Fabric Management
Fabric Usage
Job Management
Link Aggregation
Network Creation
Network Deletion
Network Domain Creation
Network Domain Deletion
Network Domain Management
Network Domain Usage
Network Management
Network Usage
Operating System Management
Operating System Usage
Operation Execution
Power Distribution Unit Management
Power Distribution Unit Usage
Profile Plan Management
Proxy Controller Management
Read Access
Report Management
Role Management
Server Deployment
Server Management
Server Usage
Service Request
Storage Creation
Storage Deletion
Storage Management
Storage Server Management
Storage Server Usage
Storage Usage
Switch Usage
Update Firmware
User Management
Write Access

1-20 Security
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Update Admin Boot Environment Management
Read Access
Update
Update Simulation
Windows Update Management
Write Access

Update Simulation Admin Read Access

Update Simulation
Write Access

User Management Admin Directory Server Management

Read Access
User Management
Write Access

Overview 1-21
General Principles of Security

Table 1-3 (Cont.) Roles and Permissions

Role Permissions
Virtualization Admin Asset Management
Asset Network Management
Fabric Creation
Fabric Deletion
Fabric Management
Fabric Usage
IPMP Groups
Link Aggregation
Manage Assets
Network Creation
Network Deletion
Network Domain Creation
Network Domain Deletion
Network Domain Management
Network Domain Usage
Network Management
Network Usage
Operating System Management
OVM Manager Management
OVM Manager Usage
Read Access
Server Deployment
Server Management
Server Pool Creation
Server Pool Deletion
Server Pool Management
Server Pool Usage
Storage Creation
Storage Deletion
Storage Management
Storage Server Management
Storage Server Usage
Storage Usage
Virtualization Guest Creation
Virtualization Guest Deletion
Virtualization Guest Management
Virtualization Guest Usage
Virtualization Host Creation
Virtualization Host Deletion
Virtualization Host Management
Virtualization Host Usage
Write Access

1-22 Security
General Principles of Security

Assigning Roles and Privileges to a User

Procedure for changing a user’s role and privileges.
The user accounts are created from the local authentication subsystem of the
Enterprise Controller's operating system or from a separate directory server, as
described in About Configuring an LDAP Server.
You must have the Role Admin role to grant roles to user accounts and to change
privileges.

1. Select Administration in the Navigation pane.

2. Click the Roles tab. The Roles page is displayed.

3. Select a user from the list of users.

4. Click the Manage User Roles icon.

5. Add or remove one or more roles from the roles list. By default, a user has all the
permissions of the assigned role. To control the scope of a user's role, remove a
specific permission:

a. Deselect the Use the default Role associations box. Click Next.

b. The privileges for each type of target are displayed on separate pages. Select
the roles to apply to each target, then click Next.

6. The Summary page is displayed. Review the roles and privileges assigned to the
user, then click Finish.

About Monitoring System Activity

Describes the logging features of the product.
Each Oracle Enterprise Manager Ops Center component has some auditing capability.
Follow audit advice in this document and monitor audit records routinely.
Oracle Enterprise Manager Ops Center performs each action as a job. The details of a
job show the order of operations in the job and the managed assets that were targets of
the job. You can view the details of a job from either the browser or the command-line
interface. Oracle Enterprise Manager Ops Center stores each job until the job is deleted
explicitly.
In addition to the jobs record, log files can be a source of activity records. Events are
recorded during operations and can provide additional detail about system activity.
Log files are protected by file permissions and therefore require a privileged user to
get access to them.

About Audit Logs for Performance and Security

Description of the role of audit logs
The information in this section is also in the Oracle Enterprise Manager Ops Center
Operations Reference.
The audit log files record the following types of events:

• Adding and deleting a user account

• Changing the roles for a user account

Overview 1-23
General Principles of Security

• Logging in and information about the connection

• Starting and ending jobs

The files are located on the Enterprise Controller in the following location:

• On Oracle Solaris: /var/cacao/instances/oem-ec/logs/audit-logs.*

• On Linux: /var/opt/sun/cacao2/instances/oem-ec/logs/audit-
logs.*
Each audit log file has a maximum size of 10 Mb. When this limit is reached, the file is
closed and a new file is created with an incremented file extension. The maximum
number of audit log files is 15, accumulating 150 Mb of logged activity. When audit-
logs.14 is closed, the next audit file is audit-log.0, overwriting the original
audit-log.0 file.
Figure 1-3 shows the series of log files.

Figure 1-3 Contents of Log Directory on Oracle Solaris 11

• User root logs in at 3:06.

• User root creates a new user, stanfield.

• User root gives the OPS_CENTER_ADMIN privilege to user stanfield.

• User root logs out.

• User stanfield logs in at 3:12.

• User stanfield starts a DHCP configuration job.

• Job is completed.

• User stanfield logs out.

Starting with Release 12.3.1, the audit log contains the sessionID to differentiate
among multiple sessions of the same user. Also, starting in this release, you have the
option to specify the format of the date and time in any of the formats supported by
Javadoc’s SimpleDateFormat class. You specify the format using the
[Link] system property.

Syntax of an Audit Log Entry

Lists the components of an event in the audit log file.
The entries in the audit log file have the following syntax:
datetime action connect_info additional_info

1-24 Security
General Principles of Security

action
LOGIN
DISCONNECT If a connection expires, the disconnection is not logged.
JOB_START
JOB_END
USER_ADD
USER_DELETE
ROLES_ASSIGN
SCHEDULED_JOB_STARTED
REMOTE_INFO Indicates a connection through the browser interface and includes
the IP address and port of the http client making the connection, as in the
following example:
REMOTE_INFO rmi://[Link] yogi 52, Remote Info: User yogi Session
ID:c2870004d5308069ffbf367fde6b connected from [Link]:57391 / JMX Session:
[Link]://[Link]:9 [Link]

connect_info
Unique identifier for the connection, depending on the type of connection:

• Connections through the browser interface or the command line interface:

rmi://ip_address username connection_id

• Connections through the API: jmxmp://ip_address:port username

connection_id

additional_info

• When the system property [Link] is set, a timestamp is included.

• For job actions, the additional information is the job ID, which consists of the
Enterprise Controller's name and the job number as listed in the Job pane.

• For user actions, the additional information is the username.

Changing the Date and Time Format of the Audit Log

Procedure for changing the system property that controls the timestamp in audit logs
for Oracle Enterprise Manager Ops Center.
1. Select Administration in the Asset pane.

2. Select the Configuration tab in the center pane.

3. Select EC Manager in the drop-down list.

4. Select [Link] in the list of properties.

5. Edit the value field to specify the format of the date and time. Use a specification
that is supported by Java’s SimpleDateFormat class.

6. Click the Save button.

7. Wait at least 10 minutes for the change to take effect and view the current audit log
to confirm.

Example of an Audit Log

Sample audit log.

Overview 1-25
General Principles of Security

Example 1-1 shows the contents of an audit log for the following operations:
Example 1-1 Example of an Audit Log
5/23/14 3:06 PM LOGIN rmi://[Link] root 13
5/23/14 3:06 PM REMOTE_INFO rmi://[Link] root 13, Remote Info: User root Session
ID:c2870004d5308069ffbf367fde6b connected from [Link]:45338 / JMX Session:
[Link]Ârmi://[Link]:2 [Link]Âroot
5/23/14 3:12 PM USER_ADD rmi://[Link] root 13, Remote Info: User root connected
from Session ID:c2870004d5308069ffbf367fde6b [Link]:45338 / JMX Session:
[Link]Ârmi://[Link]:2 [Link]Âroot Add user
stanfield: SUCCESS
5/23/14 3:12 PM ROLES ASSIGN rmi://[Link] root 13 Roles [OPS_CENTER_ADMIN]
granted to user stanfield
5/23/14 3:12 PM DISCONNECT rmi://[Link] root 13
5/23/14 3:12 PM LOGIN rmi://[Link] stanfield 18
5/23/14 3:12 PM REMOTE_INFO rmi://[Link] stanfield 18, Remote Info: User
stanfield Session ID:c2870004d5308069ffbf367fde6d connected from [Link]:45351 /
JMX Session: [Link]Ârmi://[Link]:3 [Link]Âstanfield
5/23/14 3:13 PM JOB_STARTED rmi://[Link] stanfield 18 sm4170m2-11-
[Link] - DHCP Server Configuration on sm4170m2-11-n172
5/23/14 3:13 PM JOB_END Job sm4170m2-11-n172.27 Completed with Status: SUCCESS
5/23/14 3:13 PM DISCONNECT rmi://[Link] stanfield 18

Activity Log Files for Components

Lists the type of event and the type of information about the event that is logged.
The following log files contain detailed information about the same events as the audit
log files except for login information. They include the interactions between
components of the product software.

• On Oracle Solaris: /var/cacao/instances/oem-ec/audits/

• On Linux: /var/opt/sun/cacao/instances/oem-ec/audits/
The following log files are specialized for specific events:

• Messages from operating system such as Info and Warning: /var/adm/

messages*

• Login and connection information: /var/opt/sun/xvm/logs/audit-logs*

• Events in the user interface component: /var/opt/sun/xvm/logs/[Link]

• Events between controllers and agents:

– On an Oracle Solaris Enterprise Controller: /var/cacao/instances/oem-

ec/logs/cacao.n

– On a Linux Enterprise Controller: /var/opt/sun/cacao/instances/oem-

ec/logs/cacao.n

– On each Oracle Solaris Proxy Controller: /var/cacao/instances/scn-

proxy/logs/cacao.n

– On each Linux Proxy Controller: /var/opt/sun/cacao/instances/scn-

proxy/logs/cacao.n

– On each Oracle Solaris agent: /var/cacao/instances/scn-agent/logs/

cacao.n

1-26 Security
General Principles of Security

– On each Oracle Linux agent: /var/opt/sun/cacao/instances/scn-

agent/logs/cacao.n

High Availability
Lists the Clusterware activity log.
In a High Availability configuration, each Enterprise Controller is a Clusterware node.
The Clusterware resource activity is logged each time the active Enterprise
Controller's resource action script's check() function is executed. The default interval
is 60 seconds.
On Oracle Solaris: /var/opt/sun/xvm/ha/[Link]

Software Updates
Lists the events for software updates.
The Software Update component has its own server with its own logs. The following
logs provide information on the activity for this server:

• Audit Log

– On Oracle Solaris: /var/opt/sun/xvm/uce/[Link]/server/logs/

[Link]

– On Linux: /usr/local/uce/server/logs/[Link]

• Errors

– On Oracle Solaris: /var/opt/sun/xvm/uce/[Link]/server/logs/

[Link]

– On Linux: /usr/local/uce/server/logs/[Link]

– Download jobs: /opt/SUNWuce/server/logs/SERVICE_CHANNEL/

[Link]

• Job Log

– On Oracle Solaris: /var/opt/sun/xvm/uce/[Link]/server/logs/

[Link]

– On Linux: /usr/local/uce/server/logs/[Link]

Agents
Lists the type of event and the type of information about the event that is logged

• /var/scn/update-agent/logs directory.

• /var/opt/sun/xvm/logs

Local Database
Lists the log files for database activity.

• On the Enterprise Controller:

– For installation events:

/var/opt/sun/xvm/oracle/cfgtoollogs/dbca/OCDB/*

Overview 1-27
General Principles of Security

/var/tmp/opscenter/[Link]

– For operational events reported by the ecadm sqlplus utility:

/var/opt/sun/xvm/oracle/diag/rdbms/ocdb/OCDB/alert/
[Link].*
/var/opt/sun/xvm/oracle/diag/rdbms/ocdb/OCDB/trace/
alert_OCDB.log.*
/var/opt/sun/xvm/oracle/diag/tnslsnr/<hostname>/oclistener/
alert/[Link].*
/var/opt/sun/xvm/oracle/diag/tnslsnr/<hostname>/oclistener/
trace/[Link].*

– For schema changes:

/var/opt/sun/xvm/log/[Link]
/var/opt/sun/xvm/logs/alter_oracle_schema.out
/var/opt/sun/xvm/logs/alter_oracle_storage.out

– For backup, restore, and migrate operations:

/var/opt/sun/xvm/logs/[Link]
/var/opt/sun/xvm/logs/[Link]
/var/opt/sun/xvm/logs/[Link]

• For data files: /var/opt/sun/xvm/oracle/oradata/OCDB

• For redo log files: /var/opt/sun/xvm/oracle/oradata/OCDB.

If you used OCDoctor to prepare a zpool directory with Oracle OS user permission,
the log files are in: /var/opt/sun/xvm/oracle/oradata/OCDB/REDO/

• On the Proxy Controller: /var/opt/sun/xvm/proxydb/*

• On each agent: /var/opt/sun/xvm/agentdb/*

1-28 Security
2
Secure Installation and Configuration

Describes the role of security in the product.

This chapter describes how to plan an installation and then how to configure the
software so that you use the software securely.

Topics

• Planning the Deployment

• Installing Oracle Enterprise Manager Ops Center

• Configuring Oracle Enterprise Manager Ops Center

• Viewing the Enterprise Controller's Configuration

• About Editing the Configuration

• Access to Database Data

Planning the Deployment

Describes the role of security in the product architecture.
This section outlines the options for a secure installation and describes several
recommended deployment topologies for the systems:

Topics

• About High Availability

• Overview of Network Configuration

• About Infrastructure and Operating Systems

• About Storage Configuration

• About a Remote Database

• Typical Deployment

About High Availability

Describes how the product provides High Availability.
The simplest deployment architecture is a single-system deployment in which the
Enterprise Controller and a Proxy Controller are installed on the same system.
Although the simplicity is appealing, this type of deployment creates a single point of
failure and cannot provide high availability because all components are stored on the
same computer.

Secure Installation and Configuration 2-1

Planning the Deployment

The High Availability configuration uses multiple Enterprise Controllers with Oracle
Clusterware and a remote database. The active Enterprise Controller is used for all
operations. The standby Enterprise Controllers are configured as backups. If the active
Enterprise Controller must be taken offline, make another Enterprise Controller active.
One of the standby Enterprise Controllers is also activated if the active Enterprise
Controller fails.
Each asset is managed by a specific Proxy Controller. If a Proxy Controller fails or is
uninstalled, Oracle Enterprise Manager Ops Center gives you the option to migrate
the failed Proxy Controller's assets to another Proxy Controller. At any time, move an
asset from one functional Proxy Controller to another Proxy Controller. The
destination Proxy Controller must either be connected to the networks of the assets
being moved, or be associated with those networks and have them enabled.

Requirements for Enterprise Controller High Availability

Lists the requirements for High Availability.

• Use two or more systems of the same model and configured identically:

– Processor class

– Operating system

– Enterprise Manager Ops Center software version, including updates

– Network interfaces that are cabled identically to the same subnets

• Use the Edit Asset action to add an asset tag that identifies the active Enterprise
Controller and distinguishes it from the standby Enterprise Controller.

• Maintain the standby Enterprise Controller's system in the same way as the active
Enterprise Controller. The active and standby Enterprise Controllers must use the
same version of Enterprise Manager Ops Center software.

Limitations of High Availability

Describes the limitations of the High Availability.

• User accounts and data that are not associated with Enterprise Manager Ops
Center are not part of the relocate process. Only Enterprise Manager Ops Center
data is moved between the active and standby Enterprise Controllers.

• Any customizations of the PAM configuration on the primary node must be

repeated on the standby node. Oracle Enterprise Manager Ops Center does not
replicate PAM configuration.

• UI sessions are lost in a relocation.

• The Enterprise Controller HA configuration applies only to the Enterprise

Controller and not to Proxy Controllers.
See the Oracle Enterprise Manager Ops Center Administration for instructions in
configuring and maintaining an High Availability installation.

Overview of Network Configuration

Describes a network configuration in which operations are separated.

2-2 Security
Planning the Deployment

Network connections are needed for data operations, for management operations, and
for provisioning operations. The minimum configuration, but least secure, is to
combine all operations on one network. Separate networks, as shown in Figure 2-1,
provide the highest security and the lowest number of points of failure. However,
additional network interface cards (NIC) are needed to support this configuration.
Network connection (net0) can be physical NIC, a link aggregate, or an IPMP group.

Figure 2-1 Separate Management, Provisioning, Data Networks

About Infrastructure and Operating Systems

Description of the role of various system administrators in the product architecture.
Oracle Enterprise Manager Ops Center manages and monitors assets in multiple
locations and on multiple platforms. The responsibility for securing the network,
hardware, and operating system of the server that runs the Enterprise Controller is
that server's system administrator. The responsibility for securing the hardware,
network, and operating system of Proxy Controllers and all assets falls on the various
site system administrators.

About Storage Configuration

Describes how libraries can be configured in the product architecture.
Oracle Enterprise Manager Ops Center stores its data and metadata in Software and
Storage Libraries. These libraries can reside in local file systems or on the shares of an

Secure Installation and Configuration 2-3

Planning the Deployment

NFS server. Because the Enterprise Controller does not mount the NFS share, install
the NFS server on a system that is close to the systems that will use the NFS share, that
is, the systems that host global zones and Oracle VM Servers.

About a Remote Database

Describes the alternative architecture that uses a separate database to support the
product.
This version of the product software provides the capability to use a remote, customer-
managed database. The Enterprise Controller interacts with the remote, customer-
managed database using the Oracle*Net protocol over TCP/IP.
Oracle Enterprise Manager Ops Center provides scripts to create the database schema
and users. Before you install Oracle Enterprise Manager Ops Center, your database
administrator creates the database and then runs the
createOCSchema_remote.sqlscript to create the Ops Center Schema and to grant
the CREATE DATABASE privilege. The database administrator provides the database
credentials and the connection information to you and you create the
[Link] file. The file can be located in a directory of your choice on the
system that hosts the Enterprise Controller.
When you install the Oracle Enterprise Manager Ops Center software, you use the -
remoteDBprops flag and provide the location of the [Link] file.
During installation, the connection between the Enterprise Controller and the remote
database is created.
Starting with Release [Link].0, you have the option to prevent the remote database's
Enterprise Controller application schema from viewing or executing public database
objects.

Note:

Preventing access to public database objects might affect other application

schemas if they require public privileges.

To add this security enhancement, use the following procedure to execute the
update_pub_privs_12.[Link] script:

1. Copy the update_pub_privs_12.[Link] script from the Enterprise

Controller's system to the Oracle account on the server where the customer-
managed database instance is installed. The script is located in the following
location of the Enterprise Controller's system:

• Oracle Solaris OS: /opt/ORCLsysman-db/sql/update/diamond-

update2/oracle/

• Linux OS: /opt/orcl/orcl-dbic/sql/update/diamond-update2/

oracle/

2. On the customer-managed database's system, log into the database administrator

account.

3. Execute the script using the following command:

sqlplus / as sysdba @update_pub_privs_12.[Link]

2-4 Security
Installing Oracle Enterprise Manager Ops Center

Typical Deployment
Illustrates a typical product architecture.
Figure 2-2 shows a deployment running the product software in Connected mode and
with two Proxy Controllers.

Figure 2-2 Deployment Example

Installing Oracle Enterprise Manager Ops Center

Describes installation of the product.

Topics

• About Controlling Access

• Obtaining a Certificate Authority's Certificate

• Viewing the Enterprise Controller's Truststore and Keystore

• About Substituting CA Certificates for the Default Certificates

• Verify a Certificate's Expiration Date

• Replace the Certificate for the Enterprise Controller

• Replace the Certificate for the Proxy Controller

Secure Installation and Configuration 2-5

Installing Oracle Enterprise Manager Ops Center

• Substituting Certificates for the Glassfish Web Container

• Replace the Certificate for the Apache UCE Container

• About Installing a Remote Proxy Controller Securely

About Controlling Access

Describes the importance of controlling access to the product.
Install the Enterprise Controller component only on a system where root access is
controlled tightly because a root-privileged user must modify or create system services
as part of the installation. To install the product on Linux systems, disable the
SELINUX setting.

About Substituting CA Certificates for the Default Certificates

Describes the role of certificates in the product architecture.
Oracle Enterprise Manager Ops Center has self-signed certificates that it uses for
authentication between its components. Self-signed certificates are certificates that
have not been registered with any third-party Certificate Authority (CA), and are
therefore not guaranteed by a Certificate Authority. These certificates issue a warning
when connecting with a browser and require users to accept the certificate.
To ensure that data being transmitted and received is private and not vulnerable to
eavesdropping, a self-signed certificate is sufficient. However, to ensure that the
sender and receiver are authentic, substitute the self-signed certificates with Class A or
B certificates from a third-party Certificate Authority.
Oracle Enterprise Manager Ops Center 's internal communication occurs between Java
components and between Apache components so both types of certificates must be
prepared and substituted for the self-signed certificates.

• Starting in Release [Link], use the Command Line Interface’s security mode to
manage certificates. The instructions for invoking and the product’s Command
Line Interface are in the Oracle Enterprise Manager Ops Center Command Line
Interface, but to summarize:

1. Go to the following location:

– Oracle Solaris: /opt/SUNWoccli/bin

– Linux: /opt/sun/occli/bin

2. Invoke the product CLI:

./oc -e 'connect'
If you are connecting to the Enterprise Controller from a remote system, you
are prompted for the host name, username, and password.

3. The procedures in this section use the security mode and the jobs mode.
When you enter a mode, the system prompt changes to indicate the current
mode. To enter security mode, type security on the command line. You can
view the man pages for any mode from the command line or in the Oracle
Enterprise Manager Ops Center Command Line Interface.

2-6 Security
Installing Oracle Enterprise Manager Ops Center

• For Java certificates, use the keytool utility, included in the Java Development
Kit, to manage the keystore, which stores your server's certificate, and the
truststore, which stores the Certificate Authority's certificates.

• For Apache certificates, use the Oracle Solaris's OpenSSL utilities to create
certificates for mutual authentication between a server and its clients. OpenSSL is a
cryptography toolkit that implements the Transport Layer Security (TLS) network
protocol. Oracle Enterprise Manager Ops Center does not use any version of SSL.
All transactions with the web browser are in TLS.
Use the procedures in this section to substitute private keys with a Certificate
Authority's private keys, signed by the Certificate Authority. By substituting the
certificates and keys, you change the trust relationship between components. To
ensure authentic communication, substitute the keys on the following:

• The Enterprise Controller's server

• The co-located Proxy Controller

• Each additional Proxy Controller

Obtaining a Certificate Authority's Certificate

Procedure for obtaining a certificate from a Certificate Authority.
To substitute the self-signed certificate with a Certificate Authority's certificate, you
must obtain the CA's certificate and communicate with the Certificate Authority
during the procedure. The following procedure is the general procedure:

1. Identify the Certificate Authority you want to use and follow their instructions for
the specific steps of this general procedure.

2. Submit a request for a certificate to the Certificate Authority, called a certificate

signing request (CSR). The Certificate Authority returns a certificate chain, which
consists of a root certificate and its signed certificate.

3. Download a Chain Certificate from the Certificate Authority.

4. Verify the certificates' fingerprints. When you add a certificate to the keystore, any
transactions using that certificate become trusted. You must be certain that the
certificates you received are authentic before you import them. For a Java
certificate, use the following command to see the fingerprints and then
communicate with the Certificate Authority to compare the fingerprints:

keytool -printcert -file <path/filename>

5. Replace existing certificates with the CA certificates, as described in the following

sections.

Viewing the Enterprise Controller's Truststore and Keystore

Procedure for displaying information about the Enterprise Controller’s certificates and
keys.
To configure secure communications, you can configure the Java keystore and
truststore. The keystore stores the host server's private keys and local authority
certificate, to provide the credentials for secure transactions. The truststore is similar to
the keystore, but it stores certificates from remote servers, which allows the remote
server to open a secure transaction.

Secure Installation and Configuration 2-7

Installing Oracle Enterprise Manager Ops Center

At any time, use the following command to display the content of the Enterprise
Controller's keystore:
keytool -list -v -keystore /etc/cacao/instances/oem-ec/security/jsse/keystore -
storepass:file /etc/cacao/instances/oem-ec/security/password

Use the following command to display the content of the Enterprise Controller's
truststore:
keytool -list -v -keystore /etc/cacao/instances/oem-ec/security/jsse/truststore -
storepass trustpass

Use the CLI security mode at any time to display information about the certificates
in any Proxy Controller’s truststore or any asset’s truststore. The following commands
display information for each certificate on each asset or Proxy Controller: the alias, the
owner, the issuer, the serial number, the creation date, and the period during which
the certificate is valid.
localhost/security > list_proxy [-p|--proxy proxyID]

localhost/security > list_asset [-a assetname]

About CA Certificate Expiration

Description of the expiration of certificates.
The certificates from a Certificate Authority expire after a time period they set, usually
between one and two years. Make certain you replace the certificates before they
expire. If they expire, access is denied.

Verify a Certificate's Expiration Date

Procedure for displaying information about a certificate.
Use the CLI security mode at any time to verify the validity of the certificates in any
Proxy Controller’s truststore or any asset’s truststore. You can specify the number of
days to check for expiration of the certificate. The following examples check whether
the certificate remains valid for the next 180 days.
localhost/security > check_proxy -d 180

localhost/security > check_asset -d 180

A result of OK means the certificate is valid for at least 180 days.

A result of Invalid means the certificate expires in less 180 days.

Replace the Certificate for the Enterprise Controller

Procedure for replacing a certificate on the Enterprise Controller.
You can replace an existing certificate at any time. However, when specifying an alias
for a truststore, do not re-use the original alias. You must choose new aliases when
replacing certificates because the original certificate and the replacement certificate use
the same truststore.
You can change both the certificate and the password for the new keystore or you can
change only the certificate and keep the same password for the new keystore.

1. Navigate to the location of the keystore:

2-8 Security
Installing Oracle Enterprise Manager Ops Center

• Oracle Solaris OS: cd /etc/cacao/instances/oem-ec/security/jsse

• Linux OS: cd /etc/opt/sun/cacao2/instances/oem-ec/security/

jsse/

2. Create a new password by creating and then editing the following file:
/etc/cacao/instances/oem-ec/security/password

3. Create a new private key in the new keystore. You will be prompted to enter
passwords for the key and keystore.

a. Create a new private key. Use the keytool -genkey command, according
to its documentation and your site's security policy. The following is an
example of the command:
keytool -genkey -alias cacao_agent -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity
7300 -keystore keystore_new -storepass:file /etc/cacao/instances/oem-ec/security/password -
dname CN=ec-`uname -n`

b. At the prompt to enter the key password for cacao_agent, do not enter any
characters. Instead, press the Enter key to set the cacao_agent key password
to be the same password as the one used for the keystore. This method is the
only way to ensure that the passwords match.

4. Create a signing request (CSR) using the keytool -certreq command,

according to its documentation and your site's security policy. The following is an
example of the command:
keytool -certreq -keyalg RSA -sigalg SHA256withRSA -alias cacao_agent -file
[Link] -keystore keystore_new -storepass:file /etc/cacao/instances/oem-ec/
security/password

where:
SHA256withRSA specifies the algorithm used to sign the self-signed certificate.
[Link] is the name of the file containing the signing request.

5. Obtain a new certificate from a Certificate Authority, according to the procedure

in Obtaining a Certificate Authority's Certificate.

6. Import the Certificate Authority's root certificate, your_ca, into the new keystore.
The root certificate is in the file [Link].
keytool -importcert -alias your_ca -keystore keystore_new -file [Link] -
storepass:file /etc/cacao/instances/oem-ec/security/password

7. At the prompt to confirm the certificate, enter Yes.

Secure Installation and Configuration 2-9

Installing Oracle Enterprise Manager Ops Center

8. Import the signed certificate into the new keystore. The signed certificate is in the
file [Link].
keytool -importcert -v -alias cacao_agent -file [Link] -keystore
keystore_new -storepass:file /etc/cacao/instances/oem-ec/security/password

The output of this command is the message"Certificate reply was

installed in keystore", which confirms that the operation completed
successfully.

9. Remove the Certificate Authority's root certificate, your_ca, from the new
keystore because it is no longer needed:
keytool -delete -alias your_ca -keystore keystore_new -storepass:file /etc/cacao/
instances/oem-ec/security/password

10. If you are using the EC-HA High Availability feature, copy the new keystore and
the updated truststore to the second node system at the same location. If you are
using a new password, copy it to the second node system too.

11. Use the CLI’s security mode to propagate the new certificate to the truststore of
all Proxy Controllers:

a. View the status of the current certificates:

localhost/security > check_proxy

b. Propagate the new certificates to the Proxy Controllers.

localhost/security > push_proxy -k /etc/cacao/instances/oem-ec/security/
jsse/keystore_new
-w /etc/cacao/instances/oem-ec/security/password

The operation is reported to you as a Job ID that includes the Enterprise

Controller’s name:
Job ID is ec_name.n

c. Use the jobs mode as a one-line command to follow the progress of the job.
This one-line command lets you run a command in a different mode without
ending the current mode.
localhost/security > [Link] -C1

ec_name.n | SUCCESS | root | Propagate Satellite

Certificates to Proxies

d. When the job is finished, verify the status of the certificates again. This
example shows that all new certificates have been propagated but original
certificates are still in use. These certificates remain in use until the active
keystore is changed.

2-10 Security
Installing Oracle Enterprise Manager Ops Center

localhost/security > check_proxy

Proxy Certificates Status:

Proxy | Alias | Serial |Status|Active|
--------------------------------------------------------------------
proxy-1 | cacao_agent-1 | 2fe12e10 | OK |
proxy-1 | cacao_ca | 303b0061 | OK |ACTIVE
proxy-1 | cacao_agent-0 | a479618c | OK |
proxy-2 | cacao_agent-1 | 2fe12e10 | OK |
proxy-2 | cacao_ca | 303b0061 | OK |ACTIVE
proxy-2 | cacao_agent-0 | a479618c | OK |
proxy-2 | sds | d61bbb3e03e483f9 | OK |

12. Stop the Enterprise Controller.

13. Rename the existing keystore to identify it as the previous keystore:

mv keystore keystore_old

14. Rename the new keystore to identify it as the current keystore:

mv keystore_new keystore

15. Set the permissions of the keystore file to 600:

chmod 600 keystore

16. Remove the truststore GF

rm truststore_gf

17. Rename the directories so that password is in effect and then change its
permissions:
mv ../password ../password_old
mv ../password_new ../password
chmod 600 ../password_new

18. Restart the Enterprise Controller. After this start, the new certificates are in use.
Remote users of the Command Line Interface must accept the new certificate the
first time they connect to the CLI.

19. If you are using the EC-HA High Availability feature, repeat the same commands
on the second node system:
mv keystore keystore_old
mv keystore_new keystore
rm truststore_gf
mv ../password ../password_old
mv ../password_new ../password
chmod 600 ../password_new

20. Use the security mode to remove the original certificates from the Proxy
Controllers’ truststores.

a. Verify that all new certificates are now in use and the original certificates are
not used.
localhost/security > check_proxy

The following example shows that the new certificates, starting with
cacao_agent, are now the active certificates.

Secure Installation and Configuration 2-11

Installing Oracle Enterprise Manager Ops Center

Proxy Certificates Status:

Proxy | Alias | Serial |Status|Active|
--------------------------------------------------------------------
proxy-1 | cacao_agent-1 | 2fe12e10 | OK |ACTIVE
proxy-1 | cacao_ca | 303b0061 | OK |
proxy-1 | cacao_agent-0 | a479618c | OK |ACTIVE
proxy-2 | cacao_agent-1 | 2fe12e10 | OK |ACTIVE
proxy-2 | cacao_ca | 303b0061 | OK |
proxy-2 | cacao_agent-0 | a479618c | OK |ACTIVE
proxy-2 | sds | d61bbb3e03e483f9 | OK |

b. To remove the old certificates from its truststore, you must remove each one
individually. Each operation creates a job with an ID that includes the
Enterprise Controller’s name.
localhost/security > remove_proxy -s 303b0061

Job ID is ec_name.YY

c. Verify that each job has been completed.

localhost/security > [Link] -C1

ec_name.YY | SUCCESS | root | Delete Certificate from Proxies | All known

Proxies

21. Verify the status of the new certificates:

localhost/security > check_proxy

Proxy Certificates Status:

Because you import the certificates for the new keys into the Proxy Controller
truststore before you switch keys, an SSL error occurs in the Proxy Controller. For a
Proxy Controller running version [Link].0 version or later, the Proxy Controller
recovers automatically in a few minutes. The Proxy Controller reads the truststore,
detects the new certificates, and restores communication with the Enterprise
Controller.
If the Proxy Controller is running a previous version or you experience a delay or
other problem, stop and restart the Proxy Controller to force it to re-read its truststore.

Replace the Certificate for the Proxy Controller

Procedure for replacing a certificate on the Proxy Controller.
You must use a different certificate on the Proxy Controller from the certificate used
on the Enterprise Controller. You must use a different certificate on each Proxy
Controller.
Do not re-use an existing alias when you add a new certificate to a truststore. Each
alias in a truststore must be unique.

1. Navigate to the keystore:

2-12 Security
Installing Oracle Enterprise Manager Ops Center

• Oracle Solaris OS: cd /etc/cacao/instances/scn-proxy/security/

jsse

• Linux OS: cd /etc/opt/sun/cacao2/instances/scn-proxy/

security/jsse/

2. Set the permissions of the keystore file to 0266:

# umask 0266

3. Create a new private key in the new keystore.

a. Create a new private key. Use the keytool -genkey command, according
to its documentation and your site's security policy. Do not include the -
keypass option so that a prompt for the password will be displayed. The
following is an example of the command:
keytool -genkey -alias cacao_agent -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity
7300 -keystore keystore_new -storepass:file /etc/cacao/instances/scn-proxy/security/password -
dname CN=ec-`uname -n`

where
-keyalg specifies the algorithm to be used to generate the key pair.
-sigalg specifies the algorithm used to sign the self-signed certificate. This
algorithm must be compatible with the algorithm specified by the -keyalg
option, as described in the keytool documentation.
-validity specifies the number of days that the certificate remains valid.
-dname specifies the X.500 Distinguished Name to be associated with alias,
and is used as the issuer and subject fields in the self-signed certificate. If you
do not include the distinguished name in the command, the user is prompted
for one.

4. Create a signing request (CSR) using the keytool -certreq command,

where:
SHA256withRSA specifies the algorithm used to sign the self-signed certificate.
[Link] is the name of the file containing the signing request.

5. Obtain a new certificate from a Certificate Authority for each Proxy Controller,
according to the procedure in Obtaining a Certificate Authority's Certificate.

Secure Installation and Configuration 2-13

Installing Oracle Enterprise Manager Ops Center

7. At the prompt to confirm the certificate, enter Yes.

The output of this command is the message"Certificate reply was

installed in keystore", which confirms that the operation completed
successfully.

10. Use the CLI’s security mode to propagate the new certificate to the truststore of
all the assets managed by the specified Proxy Controller:

a. View the status of the current certificates:

localhost/security > check_asset -p proxy-1

b. Propagate the new certificates to the truststore of each asset:

localhost/security > push_asset -p proxy-1 -k /etc/cacao/instances/scn-
proxy/security/jsse/keystore_new

The operation is reported to you as a Job ID that includes the Enterprise

Controller’s name:
Job ID is ec_name.n

ec_name.n | SUCCESS | [Ops Center]| Propagate Proxy Certificates to AC/VC |

Propagate Proxy Certificates to AC/VC

2-14 Security
Installing Oracle Enterprise Manager Ops Center

Asset Certificates Status:

11. Place the Proxy Controller in maintenance mode to prevent auto-recovery during
the remaining steps of this procedure.

12. Stop the Proxy Controller's internal communication using the following
command:

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/proxyadm stop -w

• Linux OS: /opt/sun/xvmoc/bin/proxyadm stop -w

13. Rename the existing keystore to identify it as the previous keystore:

mv keystore keystore_old

14. Rename the new keystore to identify it as the current keystore:

mv keystore_new keystore

15. Verify the access rights to the keystore.

ls -l /var/opt/sun/xvm/bui/conf/password

-r-------- 1 root root 199 juin 14 08:18 /var/opt/sun/xvm/bui/conf/

password

16. Remove the truststore GF.

rm truststore_gf

17. Restart the Proxy Controller:

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/proxyadm start -w

• Linux OS: /opt/sun/xvmoc/bin/proxyadm start -w

18. Use the security mode to remove the original certificates from the assets’
truststores.

a. Verify that all new certificates are now in use and the original certificates are
not used.
localhost/security > check_asset -p proxy-1

Asset Certificates Status:

Secure Installation and Configuration 2-15

Installing Oracle Enterprise Manager Ops Center

proxy-1 | asset-1 | cacao_agent-0 | a4797cad | OK

Job ID is ec_name.tt

c. Verify that each job has been completed.

localhost/security > [Link] -C1

ec_name.tt | SUCCESS | root | Delete Certificate from assets | All known

Proxies

19. Verify the status of the new certificates:

localhost/security > check_asset -p proxy-1

Asset Certificates Status:

20. Remove the Proxy Controller from maintenance mode

Because you import the certificates for the new keys into the agent truststore before
you switch keystores, an SSL error occurs in the agent. Starting with version [Link].0
version, the agent recovers automatically in a few minutes. The agent reads the
truststore, detects the new certificates, and restores communication with the Proxy
Controller.
If the agent is deployed from a previous version or you experience a delay or other
problem, stop and restart the agent to force it to re-read its truststore.

Substituting Certificates for the Glassfish Web Container

Procedure for changing the certificates for Glassfish web container.
Oracle Enterprise Manager Ops Center has self-signed certificates that it uses for
authentication for its Glassfish web container. The benefit of substituting the self-
signed certificates with certificates from a Certificate Authority is that users do not see
a warning from the browser about attempting an untrusted connection and do not
have to add a security exception to use the product.
To replace the self-signed certificate on a system that has been running Oracle
Enterprise Manager Ops Center, use the following procedure:

1. Stop the Enterprise Controller's internal communication using the following

command:

2-16 Security
Installing Oracle Enterprise Manager Ops Center

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/ecadm stop -w

• Linux OS: /opt/sun/xvmoc/bin/ecadm stop -w

2. Navigate to the keystore:

cd /var/opt/sun/xvm/bui/conf

3. Delete the keystore. The keystore is re-created automatically when you create a
new private key later in this procedure.

rm keystore

4. Delete the Oracle Glassfish Server truststore used by the product's web server. The
truststore is re-created automatically when the Enterprise Controller is restarted.

rm keystore_truststore_gf

5. Create a new private key, according to your site's security policy. Use the keytool
-genkey command, according to its documentation and your site's security policy.
Do not include the -keypass option so that a prompt for the password will be
displayed. The following is an example of the command for creating the private
key:

keytool -genkey -alias `uname -n` -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 7300 -
keystore keystore -storepass password -dname CN=bui-`uname -n`

where
-keyalg specifies the algorithm to be used to generate the key pair.
-sigalg specifies the algorithm used to sign the self-signed certificate. This
algorithm must be compatible with the algorithm specified by the -keyalg option,
as described in the keytool documentation.
-dname specifies the X.500 Distinguished Name to be associated with alias, and is
used as the issuer and subject fields in the self-signed certificate. If you do not
include the distinguished name in the command, the user is prompted for one.
-validity specifies the number of days that the certificate remains valid.
-password specifies either the clear text password or the local file named
password that contains an arbitrary string used as the keystore password. If you
are using a local file named password, then use the -storepass:file
<filename> format.

Note:
If you are installing Oracle Enterprise Manager Ops Center version 12.3.2, use
the -storepass:file <filename> for the keystore password.

6. At the prompt for the key password, press the Enter key to set the key password to
match the keystore password.

7. Create a signing request:

keytool -certreq -keyalg RSA -sigalg SHA256withRSA -alias `uname -n` -file
[Link] -keystore keystore -storepass password

Secure Installation and Configuration 2-17

Installing Oracle Enterprise Manager Ops Center

8. If you have verified the certificate you received from the Certificate Authority, as
described in Step 4 of the procedure in Obtaining a Certificate Authority's
Certificate, you are ready to import it.

9. Import the certificate that the CA sent to you into the keystore. The certificate is in
the file [Link].

keytool -importcert -alias your_ca -keystore keystore -file [Link] -storepass password

10. At the prompt to confirm the certificate, enter Yes.

11. Import the signed certificate into the keystore. The certificate is in the file
[Link].

keytool -importcert -v -alias `uname -n` -file [Link] -keystore keystore -storepass password

The output of this command is the message"Certificate reply was

installed in keystore", which confirms that the operation completed
successfully.

12. Remove the Certificate Authority's root certificate, your_ca, from the keystore
because it is no longer needed:

keytool -delete -alias your_ca -keystore keystore -storepass password

13. Restart the Enterprise Controller:

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/ecadm start -w

• Linux OS: /opt/sun/xvmoc/bin/ecadm start -w

Replace the Certificate for the Apache UCE Container

Procedure for replacing a certificate on the Apache UCE Container.
Use the following procedure to replace the certificates by accomplishing the following:

• Create and propagate the new certificates to the clients of the Apache service.

• Stop the Apache service, replace the certificates, and then restart the Apache
service.

1. Copy your local Certificate Authority key and certificate files to a secure location
on your server. This is a temporary location.

2. Rename the Certificate Authority certificate file to [Link].

3. Rename the Certificate Authority key file to [Link].

4. To add the new certificate to the truststore of the client of the Apache Service,
define the following variables

SMSF_STORE=/var/opt/sun/xvm/security/jsse/smsfacade/jssecacerts
SMSF_PASS=`awk -F= '/^[Link]/{print $2}' /var/opt/sun/xvm/persistence/scn-
satellite/[Link]`
NEW_SERVER_SSL_CRT=<your secure temporary location>/[Link]

For Oracle Solaris OS, define the following variables:

2-18 Security
Installing Oracle Enterprise Manager Ops Center

TRUST_STORE=/etc/cacao/instances/oem-ec/security/jsse/truststore
TRUST_PASS=`awk -F= '/^[Link]/{print $2}' /etc/cacao/instances/oem-
ec/private/[Link]`

For Linux OS, define the following variables:

TRUST_STORE=/etc/opt/sun/cacao2/instances/oem-ec/security/jsse/truststore
TRUST_PASS=`awk -F= '/^[Link]/{print $2}' /etc/opt/sun/cacao2/
instances/oem-ec/private/[Link]`

5. Add the new certificate to the truststore. This example uses sds-2 and
[Link]-2 to show that the aliases must be different from the original aliases.
Specify alias names for your convenience or according to your site policy.

keytool -importcert -file $NEW_SERVER_SSL_CRT -alias sds-2 -keystore $TRUST_STORE -storepass

$TRUST_PASS -noprompt
keytool -importcert -file $NEW_SERVER_SSL_CRT -alias [Link]-2 -keystore $SMSF_STORE -storepass
$SMSF_PASS -noprompt

6. Stop the Enterprise Controller and the Proxy Controllers:

• Oracle Solaris OS:

– /opt/SUNWxvmoc/bin/ecadm stop -w

– /opt/SUNWxvmoc/bin/proxyadm stop -w

• Linux OS:

– /opt/sun/xvmoc/bin/ecadm stop -w

– /opt/sun/xvmoc/bin/proxyadm stop -w

7. Navigate to the location of the certificate and key files for the Apache web
container:

• Oracle Solaris OS: cd /var/opt/sun/xvm/uce/[Link]/server/

uce_server/[Link]

• Linux OS: cd /var/opt/sun/xvm/uce/etc/uce_server/[Link]

8. Move the current [Link] file and [Link] file from the [Link]
directory to an alternate, secure location.

9. Copy your local Certificate Authority files from the secure temporary location to
the [Link] directory.

10. Verify the permissions for the [Link] file are set to allow only the service
user to read the file:

chown uce-sds:uce-sds [Link]

chmod 400 [Link]

The files now have these permissions:

-r-------- 1 uce-sds uce-sds 1751 Jun 13 13:05 [Link]
-rw-r--r-- 1 uce-sds uce-sds 1220 Jun 13 13:05 [Link]

11. If the [Link] file is encrypted and requires a password, edit the following file to
echo the password:

Secure Installation and Configuration 2-19

Configuring Oracle Enterprise Manager Ops Center

• Oracle Solaris OS: /var/opt/sun/xvm/uce/[Link]/server/

uce_server/.sslphrase

• Linux OS: /var/opt/sun/xvm/uce/etc/uce_server/.sslphrase

12. Restart the Enterprise Controller and Proxy Controllers.

• Oracle Solaris OS:

– /opt/SUNWxvmoc/bin/ecadm start -w

– /opt/SUNWxvmoc/bin/proxyadm start -w

• Linux OS:

– /opt/sun/xvmoc/bin/ecadm start -w

– /opt/sun/xvmoc/bin/proxyadm start -w

13. Use the CLI’s security mode to propagate the new UCE certificate to each Agent
Controller that needs it.

localhost/security > push_uce -p <proxy name>

About Installing a Remote Proxy Controller Securely

Description of a secure way to install a Proxy Controller on a remote system.
When installing a Proxy Controller that is not co-located with the Enterprise
Controller, do not use the Proxy Controller Deploy action from the browser interface.
Instead, copy the Proxy Controller bundle to the target system and then log in as root
to install the software. This method removes the need to provide root credentials to
the Proxy Controller's system and eliminates the need to enable ssh access from the
Enterprise Controller's system to the Proxy Controller's system.

Configuring Oracle Enterprise Manager Ops Center

Lists the tasks for configuring the product.
A privileged user must be enabled for the Oracle Enterprise Manager Ops Center
software. Log in as the privileged user to perform the tasks in this section:

• About the Connection Mode

• Disable Multiple Logins

• About Securing the Log Files

• About Database Credentials

• Disable the Domain Model Navigator

• Secure the Agents

• About Securing the Browsers

• About Strong Cipher Encryption

2-20 Security
Configuring Oracle Enterprise Manager Ops Center

About the Connection Mode

Describes the differences between Connected mode and Disconnected mode for a set
of tasks.
Connection modes provide a way to keep the product software and all of the asset
software current. However, Connected mode requires Internet access and if this access
cannot be made secure or if a site's policy does not enable Internet access, the
alternative is to run Oracle Enterprise Manager Ops Center in Disconnected mode.
Although Disconnected mode might seem to provide the most secure environment, its
use relies on manual procedures that can are error-prone without rigorous compliance
to procedures and policies. Table 2-1 shows how operations are affected by the
connection mode.

Table 2-1 Comparison of Functions in Different Connection Modes

Operation Connected Mode Disconnected Mode

Obtain a new version of the product Use the Oracle Ops Center
software Downloads action to create a job 1. Log in to an Internet-facing
that obtains the latest version. system and download the
https://
[Link]/
OCDoctor/
harvester_bundle-
[Link] file.

2. Unzip the compressed file and

run the harvester script to
connect to the Oracle
Datacenter and create an
upgrade bundle.

3. Copy the update bundle to the

Enterprise Controller's system.

Upgrade the product software Use the Upgrade Enterprise For the Enterprise Controller and
Controller action. For each Proxy each Proxy Controller:
Controller, use the Update to Latest
Available Version action. 1. Log in to each system as root
and create a temporary
directory.

2. Move the upgrade software

from the Internet-facing
system to the new directory.

3. Uncompress the file and install

the software, according to the
instructions in the appropriate
installation guide.

Secure Installation and Configuration 2-21

Configuring Oracle Enterprise Manager Ops Center

Table 2-1 (Cont.) Comparison of Functions in Different Connection Modes

Operation Connected Mode Disconnected Mode

Provision an OS and update an Download the operating system Obtain the image.
existing OS, using the latest image. software from http:// Use a CD or DVD to load the
[Link] to a operating system software.
software library.
Log in to an Internet-facing system
and download the operating system
software from http://
[Link]
Then use the Upload ISO Images
action and the Import Images
action to update the contents of the
Enterprise Controller's software
library.

Provision firmware and update Download firmware from http:// Use a CD or DVD to load the
existing firmware, using the latest [Link] or vendor software.
image. sites. Then use the Upload ISO Images
action, the Upload Firmware action,
and the Import Images actions to
update the contents of the
Enterprise Controller's software
library.

Use Automatic Service Requests After you register the assets in the Contact My Oracle Support to
(ASR) My Oracle Support database and request service.
register a user account as the My
Oracle Support user, you have the
option to create a service request
whenever an incident is reported.
In an Automated Service Request,
the following information is sent
from the Enterprise Controller to
My Oracle Support:
serial number
FRU data
site location
hardware SNMP trap

Create a Services Request After you register the assets in the Contact My Oracle Support to
My Oracle Support database and request service. The Open Service
register a user account as the My Request action is disabled.
Oracle Support user, select the
Open Service Request action.

Verify warranties After you register the assets in the Contact My Oracle Support to
My Oracle Support database and coordinate warranty records with
register a user account as the My your own records.
Oracle Support user, view the
warranty of a specific asset or all
assets.

Disable Multiple Logins

Procedure for restricting a user to one login instance.

2-22 Security
Configuring Oracle Enterprise Manager Ops Center

The default behavior is to allow a user to log in multiple times. This convenience can
be a security risk. You can disable simultaneous sessions for an individual user
account or for a role, to affect all user accounts that have the role.

1. Click Setup in the title bar as shown in Figure 2-3.

2. Click My Preferences to change your account or click Role Preferences to change

the role, which affects all user accounts that have that role.

Figure 2-3 Setting User Preferences

3. Click User Interface Preferences.

4. In the Display Preferences section, select the Disable Multiple Sessions checkbox.

5. Log out and log in again to make the change take effect.

About Securing the Log Files

Describes the product’s log files.
All installation and upgrade log files remain in place to assist in diagnosing any
problems with the installation or upgrade. Because their content can be considered
sensitive, archive them securely and remove the files after a successful installation or
upgrade.
The product installs a diagnostic program,OCDoctor, that gathers logged data,
analyzes an installation for common errors, and responds to inquiries. To remove the
program at any time, delete its files and directories.
The installation logs are found in the following locations:

• Log of the most recent installation or uninstallation: /var/tmp/opscenter/

[Link]

• Log of previous installation or uninstallation operations: /var/tmp/opscenter/

[Link]

• Log of a specific installation:

/var/opt/sun/xvm/oracle/app/oraInventory/logs/
silentInstall<yyyy-mm-dd-hh-mm-sspm>.log

• Log of an agent installation: /var/scn/install/log

The log of upgrade actions for the Enterprise Controller and its co-located Proxy
Controller is in the file: /var/opt/sun/xvm/update-saved-state/
update_satellite_bundle_12.[Link]/[Link]
The log of upgrade actions for a Proxy Controller that is not co-located is in the
file: /var/opt/sun/xvn/update-saved-state/
update_proxy_bundle_12.[Link]/[Link]

Secure Installation and Configuration 2-23

Configuring Oracle Enterprise Manager Ops Center

About Database Credentials

Describes how the product’s database can be secured.
Database passwords are encrypted in /var/opt/sun/xvm/[Link],
using AES 128-bit encryption. The Advanced Encryption Standard (AES) specification
defines one key for both encrypting and decrypting electronic data.

About Securing the Local Database

Describes methods for keeping database secure when it runs on the same system as
the Enterprise Controller.
Access to the local database is restricted to processes on the Enterprise Controller. To
allow an external host to get access to the database, you must modify the Oracle*Net
Listener configuration, as described in Access to Database Data.

• You must protect the properties file for the database, /var/opt/sun/xvm/
[Link], because it contains schema names and passwords. Use the most
restrictive permission: read-only by file owner.

• You must protect the compressed file created when you use the ecadm backup
command, as described in About Backing Up and Restoring the Enterprise
Controller. This tar file contains the dump of the local database. You must also
ensure that the backup file is moved to an alternate location.

About Securing a Remote Database

Describes the methods for securing the database when it runs on a different system
from the Enterprise Controller’s system.

• You must remove the [Link] file after installation. The file contains
unencrypted credentials for the schema on the customer-managed database, used
to configure the connection between the Enterprise Controller and the remote
database. The file is located on the system that hosts the Enterprise Controller in a
directory chosen by the administrator who installed the software.

• If you are upgrading from product version 12c Release 1 ([Link].0) to a later
version and use a remote database, you must also execute the
refactorOCPrivs_12.[Link] script as described in the following section
to further tighten security for the schema owner on the remote database.

• You must protect the properties file for the database, var/opt/sun/xvm/
[Link], because it contains schema names and passwords. Use the most
restrictive permission: read-only by file owner.

• You must ensure that a remote database is included in your site's routine backup
plan so that the Oracle Enterprise Manager Ops Center data can always be
recovered.

Using the refactorOCPrivs_12.[Link] Script

Procedure for using the SQL script for a customer-managed database.
Use a database administrator account for this procedure.
To obtain the schema names for the remote database, view the /opt/sun/xvm/
[Link] file and search for the [Link] and [Link]
values.

2-24 Security
Configuring Oracle Enterprise Manager Ops Center

1. Copy the refactorOCPrivs_12.[Link] script from the Enterprise

• Oracle Solaris OS: /opt/ORCLsysman-db/sql/update/delta-update1/

oracle/refactorOCPrivs_12.[Link]

• Linux OS: /opt/orcl-sysman-db/sql/update/delta-update1/

oracle/refactorOCPrivs_12.[Link]

2. Log in as the database administrator and execute the SQL script, using the
following command:

sqlplus / as sysdba @refactorOCPrivs_12.[Link]

3. At the prompts for Ops Center database login and Read-Only Ops Center database
login, enter the schema names created when the remote database was created.

4. Verify the new roles and privileges by running the following SQL statement in a
privileged database administrator account:

set pages 0
Select
lpad(' ', 2*level) ||
Granted_Role "User, his roles and privileges"
From
(
-- THE USERS
Select
null Grantee,
UserName Granted_Role
From
Dba_Users
Where
UserName Like Upper('&_OC_SYSTEM_SCHEMA%')
-- ROLES TO ROLES RELATIONS
Union
Select
Grantee,
Granted_Role
From
Dba_Role_Privs
-- THE ROLES TO PRIVILEGE RELATIONS
Union
Select
Grantee,
Privilege
From
Dba_Sys_Privs
)
Start With
Grantee is null
Connect By
Grantee = Prior Granted_Role
/

Enter the value for the OC System Database Login (i.e the value for
[Link]) at the prompt:
Enter value for _oc_system_schema: OC <cr>

Secure Installation and Configuration 2-25

Configuring Oracle Enterprise Manager Ops Center

The following are the new roles and privileges, in addition to those granted when the
original schema was created such as CREATE DATABASE LINK.
CREATE TABLE
CREATE VIEW
OC_SYSTEM_ROLE
CREATE CLUSTER
CREATE INDEXTYPE
CREATE OPERATOR
CREATE PROCEDURE
CREATE SEQUENCE
CREATE SESSION
CREATE TRIGGER
CREATE TYPE

The following are the Read Only roles and permissions.

CREATE SESSION
CREATE SYNONYM

Changing the Database Credentials for the Ops Center User

Procedure for changing the credentials of the database that Ops Center uses.
You can change the database password for the Oracle Enterprise Manager Ops Center
user on an embedded or customer-managed database. The Enterprise Controller's
services must be restarted to use the new password.
Use this procedure to change the credentials:

1. Create a temporary file containing the new password and secure it with 600
permissions.

For example:
# touch /tmp/password
# chmod 600 /tmp/password
# vi /tmp/password
newpassword

2. Use the ecadm command with the change-db-password subcommand and the -
p <password file> option to change the database password. When prompted,
confirm the Enterprise Controller restart.

For example:
# ./ecadm change-db-password -p /tmp/password
The Enterprise Controller will be restarted after the database password is
changed. Continue? (y/n)
y
ecadm: --- Changed database password, restarting.
ecadm: shutting down Enterprise Controller using SMF...
ecadm: Enterprise Controller services have stopped
ecadm: Starting Enterprise Controller with SMF...
ecadm: Enterprise Controller services have started
#

3. If you have a high availability configuration, the ecadm command copies the new
database properties to each remote cluster node. Enter the root password for each
remote cluster node.

For example:

2-26 Security
Configuring Oracle Enterprise Manager Ops Center

ecadm: --- Changed database password, restarting.

The DB configuration file must now be copied to each remote cluster node.
You will be prompted for the root password for each node to perform the copy.
Copying to node OC-secondary
Password: password
<output omitted>
ecadm: --- Enterprise Controller successfully started HA
#

4. Remove the temporary file containing the new password.

For example:
# rm /tmp/password

Changing the Database Credentials for the Read-Only User

Procedure for changing the credentials for the database..
You can change the database password for the read-only user on an embedded or
customer-managed database. The Enterprise Controller's services must be restarted to
use the new password.
Use this procedure to change the credentials:

1. Create a temporary file containing the new password.

For example:
# vi /tmp/password
newpassword

2. Use the ecadm command with the change-db-password subcommand and the -
p <password file> and -r options to change the database password. When
prompted, confirm the Enterprise Controller restart.

For example:
# ecadm change-db-password -r -p /tmp/password
The Enterprise Controller will be restarted after the database password is
changed. Continue? (y/n)
y
ecadm: --- Changed database password, restarting.
ecadm: shutting down Enterprise Controller using SMF...
ecadm: Enterprise Controller services have stopped
ecadm: Starting Enterprise Controller with SMF...
ecadm: Enterprise Controller services have started
#

3. If you have a high availability configuration, the ecadm command copies the new
database properties to each remote cluster node. Enter the root password for each
remote cluster node.

For example:
ecadm: --- Changed database password, restarting.
The DB configuration file must now be copied to each remote cluster node.
You will be prompted for the root password for each node to perform the copy.
Copying to node OC-secondary
Password: password
<output omitted>
ecadm: --- Enterprise Controller successfully started HA
#

Secure Installation and Configuration 2-27

Configuring Oracle Enterprise Manager Ops Center

4. Remove the temporary file containing the new password.

For example:
# rm /tmp/password

Disable the Domain Model Navigator

Procedure for disabling the interface to the domain model.
Oracle Enterprise Manager Ops Center provides a Domain Model Navigator to allow
Oracle support personnel to gather detailed information about the state of the system.
This diagnostic interface is enabled by default and requires user authentication for
access. However, because the Domain Model Navigator displays an internal view of
the product software, disable the interface on the Enterprise Controller and Proxy
Controllers using the following procedure. The agents for assets are not part of the
Domain Model Navigator.

1. Log in to the Enterprise Controller as the root user.

2. Click Administration in the Navigation pane.

3. Click Enterprise Controller.

4. Click Configuration in the center pane.

5. In the Subsystem field, click Domain Model Navigator. The allowToRun

property's default value is true, as shown in Figure 2-4.

Figure 2-4 Property of Domain Model Navigator

6. Click in the Value field to edit it. Change the value to false.

7. Click the Save Properties icon.

8. Perform the following procedure on each Proxy Controller:

a. Edit the file /opt/sun/n1gc/lib/XVM_PROXY.properties

b. Add the following line to the file:

[Link]=false

c. Stop and restart the Proxy Controller:

/opt/SUNWxvmoc/bin/proxadm stop
/opt/SUNWxvmoc/bin/proxadm start

9. Stop and restart the Enterprise Controller:

/opt/SUNWxvmoc/bin/satadm stop
/opt/SUNWxvmoc/bin/satadm start

2-28 Security
Configuring Oracle Enterprise Manager Ops Center

To investigate an issue with an asset, My Oracle Support might instruct you to view
the Domain Model Navigator. To re-enable the Domain Model Navigator, use the
same procedure to set the property values to true.

Enable the Domain Model Navigator on the Enterprise Controller

Procedure for enabling the interface to the domain model.
To enable the Domain Model Navigator:

1. Log in to the Enterprise Controller as the root user.

2. Click Administration in the Navigation pane.

3. Click Enterprise Controller.

4. Click Configuration in the center pane.

5. Click the Restore Properties icon.

6. Repeat the following procedure on each Proxy Controller:

a. Edit the file /opt/sun/n1gc/lib/XVM_PROXY.properties

b. Add the following line to the file:

[Link]=true

c. Stop and restart the Proxy Controller:

/opt/SUNWxvmoc/bin/proxadm stop
/opt/SUNWxvmoc/bin/proxadm start

7. Stop and restart the Enterprise Controller:

/opt/SUNWxvmoc/bin/satadm stop
/opt/SUNWxvmoc/bin/satadm start

Using the Domain Model Navigator

Procedures for locating or changing information in the domain model.
The Domain Model represents Domain Model MBeans, Gear Model MBeans, and
Service MBeans and their current states.
To diagnose or correct a problem, you might be directed by My Oracle Support to
search for or change information in the domain model. Use the following procedures
to complete this task:

• Logging Into the Domain Model

• Searching the Domain Model

• Changing the Domain Model

• Logging Out of the Domain Model Navigator

Logging Into the Domain Model

Procedure for getting access to the domain model.
In the web browser, navigate to the following:

Secure Installation and Configuration 2-29

Configuring Oracle Enterprise Manager Ops Center

On the Enterprise Controller's system: [Link]

On the Proxy Controller's system: [Link]
Log in as the root user of the host system.

Searching the Domain Model

Procedure for locating information about assets in the domain model.
The Domain Model Navigator has two tabs: Domain Model/Gear Model page and the
JMX Navigator page. Each page contains the definition of assets and some statistics.
To locate a specific asset, use the following search tactics:

• Match JMX patterns in the name. For example, to search for all cache managers,
search for: *:type=*Cach*,*

• Use a JMX query:

– PowerOff, which invokes the PoweredOn = false query

– Status Not OK, which invokes the not Status = 'OK' query

– Unreachable, which invokes the Reachable = false query

• Create a JMX query. These queries are case-sensitive.

Changing the Domain Model

Lists the operations you can perform on the domain model.
You can perform the following operations. You must provide the root password.

• Refresh

• Set

Warning:

An additional operation, Unregister, is available to Oracle Support engineers.

Do not attempt to perform this operation unless you are directed by My
Oracle Support.

These operations are recorded in the audit log located at /var/cacao/instances/

oem-ec/logs/audit-logs.0

Logging Out of the Domain Model Navigator

Procedure for logging out of the domain model securely.
Because you are using the HTTPS protocol, the root credentials are included in each
transaction. To log out securely, you must delete the credentials from the browser.

Secure the Agents

Procedure for encrypting the credentials for an Agent Controller.
To encrypt the credentials used to get access to the Agent Controller of an asset:

1. Check the status of the agent:

2-30 Security
Configuring Oracle Enterprise Manager Ops Center

/var/opt/sun/xvm/OCDoctor/[Link] --update
/var/opt/sun/xvm/OCDoctor/[Link] --troubleshoot

2. Check the prerequisites for encryption and then encrypt the agent password:

/var/opt/sun/xvm/OCDoctor/[Link] --troubleshoot --fix

About Securing the Browsers

Describes a how to make web browsers secure.
To implement transactions securely, Oracle Enterprise Manager Ops Center supports
specific communications and security standards and methods such as HTTP, TLS, x.
509 certificates, and Java. Most browsers support several of these features but users
must configure their browsers properly to take advantage of security capabilities.

Note:

Oracle Enterprise Manager Ops Center does not use any version of SSL. All
transactions with the web browser are in TLS. To verify that SSL is not used,
use the following command:
openssl s_client -connect IPaddress:port -ssl3

The response includes the status:

SSL routines:SSL3_WRITE_BYTES:ssl handshake failure

Information sent to and from a browser is transmitted in the clear so any intermediate
site can read the data and potentially alter it in transit. Oracle Enterprise Manager Ops
Center's browsers and servers address this problem in part by using the Secure
Sockets Layer to encrypt HTTP transmissions (referred to as HTTP/SSL or HTTPS).
This ensures the security of data transmitted from the client to the server. However,
because browsers do not ship with client certificates, most HTTPS transmissions are
authenticated in only one direction, from server to client. The client does not
authenticate itself to the server.
The browser interface uses JavaScript extensively. Take care to protect against
JavaScript-based attacks.

About Strong Cipher Encryption

Describes the role of encryption in the product architecture.
When Enterprise Manager Ops Center discovers an asset, it encrypts its transactions
with the asset using AES-128 encryption. the strongest AES key available to the asset's
platform. The default is AES-256 encryption; the alternatives are AES-192 and then
AES-128.
By default, Enterprise Manager Ops Center encrypts its transactions with assets using
AES-128 encryption. If an asset's sshd daemon uses a AES-192 or AES-256 encryption,
you must also configure the Proxy Controller's system to manage the asset.

Secure Installation and Configuration 2-31

Configuring Oracle Enterprise Manager Ops Center

Note:

Some locales do not allow the use of strong ciphers. It is the user's
responsibility to verify that this level of encryption is allowed under local
regulations.

Verifying the Encryption Type

Procedure for determining information about encryption.
To determine the type of encryption used with an asset, view the asset's /etc/ssh/
sshd_config file and look for content such as the following in the Ciphers section:
Ciphers aes256-cbc

Configuring Proxy Controllers to Use a Strong Cipher Suite

Procedure for encrypting credentials for a Proxy Controller.
Use the following procedure to download the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files and move them to the systems running a
Proxy Controller.

1. On an Internet-facing system, navigate to [Link]

technetwork/java/javase/downloads/[Link].

2. Click Accept License Agreement.

3. Click the [Link] link and download the file.

4. Unzip the [Link] file.

5. Move the local_policy.jar and US_export_policy.jar files to

the /usr/jdk/jdk<latest version>/jre/lib/security/ directory on the
Proxy Controller.

6. Restart the system.

Transport Layer Security (TLS)

These sections describe how to increase the level of security provided by the TLS
protocol among components of the Oracle Enterprise Manager Ops Center product.

• About TLS Versions

• Changing the TLS Version for Apache UCE Container

• Changing the TLS Version for Glassfish Web Container

About TLS Versions

The Transport Layer Security protocol provides a foundation for privacy and data
integrity between two communicating applications.
The Transport Layer Security protocol now has three versions of increasing security:
TLS 1.0, TLS 1.1, and TLS 1.2.
The default version used in Oracle Enterprise Manager Ops Center is TLS 1.0. You can
change the version of protocol for all communications if both the communicating
application supports the TLS version you want to use. To change the version of

2-32 Security
Configuring Oracle Enterprise Manager Ops Center

protocol for all communications, change the Enterprise Controller’s Glassfish server
and each remote Proxy Controller’s Glassfish Serve and change the Apache UCE
Container.

Changing the TLS Version for Apache UCE Container

The Transport Layer Security protocol has three versions.
Starting in 12.3.2, the product’s Apache UCE Container supports all three versions of
TLS: TLSv1.0, TLSv1.1 and TLSv1.2. Some sites require a higher minimum version. To
change the acceptable version of TLS, perform the following procedure on the
Enterprise Controller and on each remote Proxy Controller.

1. Login as root.

2. Edit the conf/extra/[Link] file.

3. Locate the line: SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1

4. To set the protocol to accept only TLS v1.2, change the line to: SSLProtocol -
all +TLSv1.2

5. Restart the Enterprise Controller.

6. Repeat this procedure on each remote Proxy Controller.

Changing the TLS Version for Glassfish Web Container

The Transport Layer Security protocol has three versions.
Starting in 12.3.2, the product’s Glassfish Web Container supports all three versions of
TLS: TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.0, indicating that Version 1.0
is the minimum accepted level for communication. Some sites require a higher
minimum version. To change the acceptable version of TLS, perform the following
procedure on the Enterprise Controller and on each remote Proxy Controller.

Note:

Before changing the TLS version used by the Proxy Controller, check if all the
Agent Controllers managed by the Proxy Controller can use the TLS version.
Agent Controllers that use JDK 6 version lesser than 1.6.115 only supports
TLSv1.0.

1. To see the current minimum version of the TLS protocol, issue the following
command:ecadm get-tls-level

TLS configuration : TLSv1.0 enabled, TLSv1.1 enabled, TLSv1.2

enabled

2. To change the minimum version, use the ecadm set-tls-level -e|--enable

0|1|2 command. The integers refer to the point release of the protocol version, for
example, 1 indicates TLSv1.1. To change the minimum version to TLSv1.2, use the
following command:

ecadm set-tls-level -e 2

TLS configuration : TLSv1.0 disabled, TLSv1.1 disabled,

TLSv1.2 enabled

Secure Installation and Configuration 2-33

Viewing the Enterprise Controller's Configuration

3. Repeat this procedure on each remote Proxy Controller.

Viewing the Enterprise Controller's Configuration

Procedure for displaying information about the Enterprise Controller.
To view the Enterprise Controller's configuration:

1. Select the Enterprise Controller in the Administration section of the Navigation

pane.

2. Click the Configuration tab.

3. Select one of the following subsystems to display its settings:

• Agent Provisioning: Manages the provisioning of Agent Controllers.

• Automated Service Requests: Manages the Automated Service Request (ASR)

settings.

• Database: Manages the database used by Oracle Enterprise Manager Ops Center.

• EC Manager: Manages the Enterprise Controller.

• Firmware: Manages firmware downloads.

• Job Manager: Manages the way that jobs are run.

• My Oracle Support (MOS): Manages communications with MOS.

• Network/Fabric Manager: Manages networks and fabrics.

• OCDoctor: Manages the OCDoctor location and updates.

• OS Provisioning: Manages network and fabric settings.

• Permission Cache: Manages cache sizes.

• Power: Manages energy cost settings.

• Proxy Manager: Manages the interactions between the parts of the infrastructure.

• Quartz Scheduler: Manages the quartz scheduler.

• Role Preferences: Manages role settings.

• Update: Manages the location of update libraries.

• Zone Controller: Manages the zone management settings.

About Editing the Configuration

Description of the role for changing the configuration..
The Ops Center Admin role is the only role that can modify the configuration
properties. Use care in assigning this role to a user.

2-34 Security
Access to Database Data

Note:

Editing configuration properties can have an adverse affect on the stability

and performance of the product and is done only if directed by My Oracle
Support.

Access to Database Data

Lists the parameters needed to use SQL.
The information in this section is also in Access the Product Database.
This section describes how to view the core product data stored in the Oracle
Enterprise Manager Ops Center database using or . Use this information to integrate
this product with other applications such as Oracle Enterprise Manager Cloud
Control, or to pull data from the Oracle Enterprise Manager Ops Center datastore for
analytical applications. To use , you need the following information:

• Database host name – The name of the database host is listed in the [Link]
property of the /var/opt/sun/xvm/[Link] file on the Enterprise
Controller system. The format for this property is:
jdbc:oracle:thin:@<databasehostname>:<listenerPort>/
<OracleServiceName>

• Read-Only User Name – The Read-Only User name is a schema on the Oracle
Enterprise Manager Ops Center Repository that is configured to access Oracle
Enterprise Manager Ops Center data using read-only views. When the Enterprise
Controller uses an embedded database, the username is OC_RO. When the
Enterprise Controller uses a customer-managed database, the schema name is
included in the [Link] property of the /var/opt/sun/xvm/
[Link] file.

• Read-Only Password – When your Enterprise Controller is configured with the

embedded database, the password is randomized at installation. If you do not
know the embedded database password, see Changing the Database Credentials
for the Read-Only User for information about changing the password. If you are
using a customer-managed database and you do not know the password, ask your
database administrator for assistance.

• Listener Port – The listener port number for the database is listed in the
[Link] property of the /var/opt/sun/xvm/[Link] file on the
Enterprise Controller system. The format for this property is:
jdbc:oracle:thin:@<databasehostname>:<listenerPort>/
<OracleServiceName.

• Oracle Service Name – For embedded databases, the service name is

[Link] where example is the string oracle. For customer-
managed databases, the service name is listed in the [Link] property of
the /var/opt/sun/xvm/[Link] file on the Enterprise Controller
system. The format for this property is:
jdbc:oracle:thin:@<databasehostname>:<listenerPort>/
<OracleServiceName.

Viewing Core Product Data Using Oracle SQL Developer

Procedure for displaying information about the database.

Secure Installation and Configuration 2-35

Access to Database Data

Using Oracle SQL Developer, you can connect to the database using a read-only
account and view the schema structures and data.

Modifying Oracle*Net Listener

Procedure for allowing remote access to the embedded database.
To allow an external host to get access to the database, you must modify the
Oracle*Net Listener configuration on the Enterprise Controller:
1. Change to Oracle Enterprise Manager Ops Center's user environment:

$ su - oracleoc

2. Edit the [Link] file:

vi $ORACLE_HOME/network/admin/[Link]

3. Disable valid node checking by commenting the following lines:

#tcp.validnode_checking = yes
#tcp.invited_nodes = (localhost,x4150-brm-04)

4. Save the file and exit.

5. To use the new version of the file, either restart all services on the Enterprise
Controller, or reload the Oracle*Net Listener configuration from the oracleoc
user environment.

/opt/SUNWxvmoc/bin/satadm stop -w
/opt/SUNWxvmoc/bin/satadm start -w

OR
$ lsnrctl reload OCLISTENER

Opening Oracle*Net to External Access

Procedure for getting access to the embedded database.
If you are using the embedded database, you must open Oracle*Net to enable external
access before you can connect to the database.
1. Log in to the Enterprise Controller system.

2. Change to the user that owns the Oracle software. For example:

$ su - oracleoc

3. Modify the [Link] file to comment out the two lines beginning with
tcp.validnode_checking and tcp.invited_nodes. For example:

$ vi $ORACLE_HOME/network/admin/[Link]
#tcp.validnode_checking = yes
#tcp.invited_nodes = (localhost,<EnterpriseControllerHostname>)

4. Use the lsnrctl reload command to reload the listener configuration without
stopping the Enterprise Controller services. For example:

$ lsnrctl reload OCLISTENER

Creating the Connection to the Database

Procedure for configuring access to the database.

2-36 Security
Access to Database Data

You must create a connection to the Enterprise Manager Ops Center database in .

1. In Oracle SQL Developer, click the New Connection icon in the Connections tab.

2. Enter the connection information, then click Save:

• Connection Name – Enter a name. This name is only used in Oracle SQL
Developer.

• Username – Enter the schema name for the read-only user.

• Password – Enter the password for the read-only user.

• Host name – Enter the name of the database host.

• Port – Enter the Oracle*Net Listener port number.

• Service Name – Select the service name option and enter the service name. For
embedded databases, the service name is shown in the following figure. For
customer-managed databases, the service name is included in the
[Link] property in the /var/opt/sun/xvm/[Link] file.

Viewing Data From the Database Using Oracle SQL Developer

Procedure for displaying information in the database.
After you create the connection, view product data:

1. Select the connection you created in the previous procedure. The contents of the
target database are displayed.

Secure Installation and Configuration 2-37

Access to Database Data

2. Within the database hierarchy, expand the Other Users section, then select the
application user and expand the Views section. If you are using an embedded
database, the application user is OC. If you are using a customer-managed
database, the application user is included in the [Link] property of
the /var/opt/sun/xvm/[Link] file.

The database columns visible to the application user are displayed.

2-38 Security
Access to Database Data

3. View the comment column to find the location of the Javadoc for each column,
which explains the usage of the column.

Note:

The [Link] package, which is included with the product

installation media, installs Javadoc. If this package is not installed on your
system, use the pkgadd command to install it for Oracle Solaris systems, or
the rpm command to install it for Linux systems.

After you get access to the product data, you can integrate the data with other
applications, run analytics on the product data, or take other actions that require the
data.

Viewing Core Product Data Using SQL*Plus

Procedure for displaying information in the database about assets.
If you have access to the Enterprise Controller system, you can access the database
from the command line.

1. Log in to the Enterprise Controller system.

2. Run the ecadm sqlplus command. Use the -r option to access the database in
read-only mode.

You are connected to the database using the SQL*Plus interface.

Secure Installation and Configuration 2-39

Access to Database Data

3. Invoke commands using the SQL*Plus syntax.

• To see a list of views:

select view_name from user_views where (view_name like 'V_VMB%' or view_name
like 'V_VDO%')

• To see comments on a specific view:

select comments from user_tab_comments where table_name='<view name from the
above list>'

• To see comments on all columns of a specific view:

select column_name, comments from user_col_comments where table_name='<view
name from the above list>'

2-40 Security
3
Security Features

Describes the role of security in the product architecture.

Oracle Enterprise Manager Ops Center provides security services for user
authentication, custom user authorization, and protection for data in repositories and
during network transmissions. Oracle Enterprise Manager Ops Center also provides
network authentication between its infrastructure components using standard
certificates.
Oracle Enterprise Manager Ops Center uses standard protocols and third-party
solutions to secure data and operations, using TLS and X.509v3 certificates, and secure
HTTP and PAM (Pluggable Authentication Modules) protocols to provide the
following services:

• Authentication

• Authorization

• Access Control

• Data Protection

Configuring and Using Authentication

Describes authentication.
Authentication allows a system to verify the identity of users and other systems that
request access to services or data. In a multi-tier application, the entity or caller can be
a human user, a business application, a host, or one entity acting on behalf of another
entity.
Topics

• About Identity Management for Users

• Credentials for My Oracle Support

• Credentials for IAAS and Cloud Deployments

About Identity Management for Users

Describes how users are authenticated.
Users log in to the browser interface to use the product. The credentials must be valid
for the Oracle Enterprise Manager Ops Center installation.
Add users to Oracle Enterprise Manager Ops Center from the local authentication
subsystem of the Enterprise Controller's operating system or from a separate directory
server.

Security Features 3-1

Configuring and Using Authentication

About Configuring an LDAP Server

Procedure for changing the LDAP server..
You can add directory servers to Oracle Enterprise Manager Ops Center. Users and
roles are added to the product from the directory server. The information in this
section is also in the Oracle Enterprise Manager Ops Center Administration.
To grant roles to the users in a directory server, you create groups on the directory
server that correspond to the roles in Enterprise Manager Ops Center. You grant a role
to a user by adding the user to the corresponding group, and remove a role from a
user by removing them from the group. You cannot edit the roles of a directory server
user through the user interface.
Users that are added from a directory server begin with complete privileges for each
of their roles.
You must configure the remote directory server before adding it to Oracle Enterprise
Manager Ops Center.

To Configure the Directory Structure

Procedure for adding a new directory server for Oracle Enterprise Manager Ops
Center to use.

1. Create the following user groups on the directory server:

• ASSET_ADMIN

• CLOUD_ADMIN

• CLOUD_USER

• EXALOGIC_ADMIN

• FAULT_ADMIN

• NETWORK_ADMIN

• OPS_CENTER_ADMIN

• PROFILE_PLAN_ADMIN

• READ

• REPORT_ADMIN

• ROLE_ADMIN

• SECURITY_ADMIN

• SERVER_DEPLOY_ADMIN

• STORAGE_ADMIN

• Update_ADMIN

• Update_SIM_ADMIN

• USER_ADMIN

• VIRT_ADMIN

3-2 Security
Configuring and Using Authentication

2. Add users to these groups. The users within each group are given the role
corresponding to the group.

To Add a Directory Server

Procedure for adding a new directory server for Oracle Enterprise Manager Ops
Center to use.

1. Select Administration in the Navigation pane.

2. Click Directory Servers.

3. Click the Add Directory Server icon.

The Remote Directory Server Connection Settings page is displayed.

4. Enter the following connection settings:

• Name: The name of the directory server.

• Host: The host name of the directory server.

• Port: The port number to be used to access the directory server.

• SSL: Check this box to use TLS to connect to the directory server.

• Anonymous Bind: Check this box to use anonymous binding to access the
directory server.

• Username: The user name used to access the directory server. Username is
required only if Anonymous Bind is not checked.

• Password: The password for the given user name. Password is required only if
Anonymous Bind is not checked.

• Authentication: Select Use Directory Server for Authentication or Use Ops

Center Local Authentication.
Click Next.
The Remote Directory Server Schema Settings page is displayed.

5. Enter the following schema settings:

• Root suffix: The root node of the directory tree.

• Group search DN: The container or operational unit in which to search for the
role groups.

• Group search scope: The scope of the group search. Select Search One Level or
Search Subtree.

• User search DN: The container or operational unit in which to search for users.

• User search scope: The scope of the user search. Acceptable values are base,
one, subtree, baseObject, singleLevel, wholeSubtree, or subordinateSubtree.

• User search filter: An LDAP search filter which users must meet for inclusion.
Click Next.
The Summary page is displayed.

Security Features 3-3

Configuring and Using Authentication

6. Review the summary, then click Add Directory Server.

About PAM Authentication

Procedure for setting the PAM authentication service.
Oracle Enterprise Manager Ops Center uses Pluggable Authentication Modules (PAM)
to validate credentials for user accounts of users who log in to the browser interface.
The default PAM service allows users to log in to the system in the standard way.
The pam-service-name parameter sets the PAM service for the oem-ec instance of
the cacao daemon.

• Oracle Solaris: The default value is pam-service-name=other

• Linux: The default value is pam-service-name=passwd

If you require control of the PAM configuration, create a PAM service with a different
service name, which uses different PAM modules.

Verifying PAM Authentication

Procedure for displaying the PAM service.
To see the current value of the pam-service-name parameter, use the following
cacaoadm command:
./cacaoadm get-param -i oem-ec pam-service-name

Changing the PAM Authentication

Procedure for changing the the way PAM authentication is used..
To change the authentication service from the operating system's default to a different
service name, use the following procedure. If this is a High Availability environment,
perform the procedure on both the primary node and on the standby node.

1. On a Linux system, create a configuration file or edit the existing configuration file
for the service to use. The configuration file has the same name as the service.

/etc/pam.d/filename

On an Oracle Solaris 10 system, edit the following file:

/etc/[Link]

2. Change the contents of the configuration file. For example:

auth required pam_warn.so debug

auth required pam_safeword.so.1 debug
account include system-auth
password include system-auth

3. To initialize the PAM service with the new configuration, stop the Enterprise
Controller:

/opt/sun/xvmoc/bin/satadm stop

4. Change the value of the pam-service-name parameter

./cacaoadm set-param -i oem-ec pam-service-name=opscenter

5. Verify the change:

3-4 Security
About Authorization

./cacaoadm get-param -i oem-ec pam-service-name

6. Restart the Enterprise Controller:

/opt/sun/xvmoc/bin/satadm start

Note:
If you use the SafeNet SafeWord® Agent for PAM software
(pam_safeword.so), you can use the SafeWord static password mode or
single-use dynamic password mode, but you cannot use the dynamic
challenge password mode. To use single-use dynamic passwords, you must
modify the pam_safeword.cfg file to ensure that the User ID source is set to
SYSTEM and not USER. The SYSTEM setting causes the authentication process
to get the User ID from the /etc/passwd file.

Credentials for My Oracle Support

Describes access to My Oracle Support.
In Connected mode, the Oracle Enterprise Manager Ops Center software requires the
user to provide one or more sets of My Oracle Support credentials. These credentials
are used to authenticate and authorize downloading product updates, creating Service
Requests, and retrieving warranty information, in addition to the initial authentication
between the Enterprise Controller's system and My Oracle Support.

Credentials for IAAS and Cloud Deployments

Describes the protection of the location of the private key.
Some commands for the IAAS platform require a parameter for the location of the
private key file. Because the private key authenticates a cloud user, this file is sensitive
and must be managed as a security risk:

• The file must be owned by the user running the IAAS command-line interface.

• The file must have the highest restrictive permission: read-only by file owner.

About Authorization
Describes authorization.
Authorization allows a system to determine the privileges which users and other
systems have for accessing resources on that system.
Roles grant users the ability to use the different functions of Oracle Enterprise
Manager Ops Center. By giving a role to a user, an administrator can control what
functions are available to that user and for which groups of assets.
An Enterprise Controller Admin can grant users different roles for the Enterprise
Controller, the All Assets group, and any user-defined groups. A user who is assigned
a role for a group receives the same role for all subgroups.

Security Features 3-5

About Authorization

Caution:

A user with the Apply Deployment Plans, Exalogic Systems Admin, or

SuperCluster Systems Admin role can apply an operational profile to a
managed system using root access. Take care when assigning these roles
because the role allows the user to use an operational profile to run scripts.

About Credentials for Assets

Describes the types of credentials used to manage assets.
Oracle Enterprise Manager Ops Center uses credentials to discover and manage assets
and to establish trust between internal components. Examples of the types of
credentials managed by Oracle Enterprise Manager Ops Center include:

• SSH credentials for Operating System instances and hardware service processors.

• IPMI credentials for hardware service processors

To see a list of all the types of credentials, select Credentials in the Administration
section, then click Create Credentials in the Actions pane. The drop-down list for the
Protocols field shows all of the supported protocols.
Oracle Enterprise Manager Ops Center requires remote network access and
administrative privileges to discover and manage an asset. This can be done either by
using a privileged account or by combining the credentials of a non-privileged user
account with the credentials for the administrative account. In this case, Oracle
Enterprise Manager Ops Center uses the non-privileged user account to connect to the
system and then uses the administrative account to inquire about the characteristics of
the system.
To discover an ILOM system, the account must have administrator privileges on the
system, and both IPMI and ssh credentials must be provided.

Note:

IPMI communications from the Proxy Controller to the ILOM system are not
encrypted. To protect the transmissions, isolate the ILOM system and the
Proxy Controller it uses within your private administrative network.

Using SSH Key-Based Authentication

Procedure for using an SSH key for access to assets.
If you prefer not to use password-based SSH credentials, create an SSH key to get
access to remote assets, such as operating systems, ILOM service processors, and XSCF
service processors. The assets must support the SSH protocol. Oracle Enterprise
Manager Ops Center does not protect the SSH keys. If you choose to use this method,
you must ensure the following:

• You must create the SSH key on each Proxy Controller that needs to get access to
the asset.

• For an OS asset, you must add the SSH public key to the ~/.ssh/
authorized_keys file. For a hardware asset, you must use the asset's Web
interface to upload the public SSH key.

3-6 Security
About Authorization

To create the SSH key, use the Create Credentials action.

1. Enter a name for the key.

2. Click the Custom SSH key button, as shown in Figure 3-1, to enable the remaining
fields.

Figure 3-1 Creating an SSH Public Key

3. In Login User, enter the name of the account that uses this key.

4. The location of the key file is set to the default location for the sshkey-gen utility.
If your site uses a different location, edit this field.

5. (Optional) For OS assets, create a privileged user such as root, or a non-privileged

user with keys. Provide a password for the role.

The passphrase is an optional addition to the password and is created at the same
time as the key.

6. Click Create to create the SSH key.

Creating Credentials for Access to the Serial Console or SSH Tunnel

Procedure for creating console or SSH credentials.
The information is this section is also in the Oracle Enterprise Manager Ops Center
Configure Reference.
To enable a connection to a service processor or virtual machine, define the user
account that Enterprise Manager Ops Center uses to open an SSH tunnel on the
Enterprise Controller or to create a serial connection.

Security Features 3-7

About Authorization

Note:

If you do not specify this account, Enterprise Manager Ops Center creates an
account each time it accesses a serial console and deletes the account when the
connection is no longer needed. This activity might not conform to your site's
security policy.

The following types of assets use SSH to connect to a serial console. Create an account
for each type and define the same password for each account.

• Proxy Controllers

• Global zones that use agents and require access to the consoles of non-global zones

• Control domains that use agents and require access to the consoles of logical
domains
To create the account, define the ConsoleSSHCredname system property using the
procedure in Defining the system property for console access and then define a user
account for that property using either the procedure in Creating the account using
Enterprise Manager Ops Center or the procedure in Creating the account using the
useradd command.

Defining the system property for console access

Procedure configuring console access.

1. Select the Administration section in the Navigation pane.

2. Select the Configuration tab in the center pane.

3. In the Subsystem list, select Console Access Configuration. The

[Link] system property is displayed.

4. Click in the Values column.

5. Enter the name of the new user account. For example, SERIALCONSOLE_CRED1.

Figure 3-2 Configuring Console Access

6. Click Save.

When the job is completed, define the account using the following procedure.

Creating the account using Enterprise Manager Ops Center

Procedure for creating a new account.
You must have the Security Admin role to perform this procedure.

3-8 Security
About Authorization

After you define the user account, the account is created automatically in /etc/
passwd the first time a job for console access is run. However, if your site's security
policy requires that the operating system account must be created outside of
Enterprise Manager Ops Center's control or if you prefer to create the account
manually, use the procedure described in Creating the account using the useradd
command.

1. Select the Administration in the Navigation pane.

2. Select Credentials in the Navigation pane.

3. Click Create Credentials in the Actions pane.

4. Select the SERIAL_CONSOLE_SSH protocol and enter the following details:

• Name of the credential: Enter the value of the [Link] system

property. In this example, SERIALCONSOLE_CRED1.

• Login User: Enter a convenient or descriptive name for the user account, for
example, ConsoleAccess.

• Password for the user account and its confirmation.

Figure 3-3 User Account for Console Access

5. Click Create to submit the job.

Creating the account using the useradd command

Procedure for creating a new account.

1. Create the home directory for the account. In the following example, the account is
named consolex:

mkdir /var/tmp/consolex

2. Add the user account with its shell, /opt/sun/n1gc/bin/serial_console:

useradd -s "/opt/sun/n1gc/bin/serial_console" -d /var/tmp/consolex -u uid -P

"profile" -A "[Link]" consolex

where uid is an available user ID on the Enterprise Controller's system and profile is
either LDoms Review for a control domain or Zone Management for a global

Security Features 3-9

About Authorization

zone. The -A option is a feature of Oracle Solaris 11's useradd(1m) command that
includes an authorization defined in auth_attr(4).

3. Change the ownership of the home directory:

/bin/chown consolex /var/tmp/consolex

/bin/chmod 700 /var/tmp/consolex

4. Set and confirm the password for the account:

passwd consolex

About Managing Assets Using the agentadm Command

Describes a method of managing assets without storing credentials.
The information in this section is also in the Oracle Enterprise Manager Ops Center
Configure Reference.
Although it is possible to discover assets without providing credentials, Oracle
Enterprise Manager Ops Center is limited in its ability to manage or monitor these
assets. If you prefer not to store credentials for assets in the product software, install
the Agent Controller on each asset manually.
Use these procedures to install an Agent Controller and to register the target system.

Before You Install an Agent Controller

Lists prerequisites for installing an agent.
To use the agentadm command, you need the following information:

• To configure your Agent Controller software using an administrative user account

on the Enterprise Controller you need:

– User name: the user account provides authentication that supports Agent
Controller registration. Use the user name of this account as the argument for
the -u option of the agentadm command.

– Password: use this password to populate the /var/tmp/OC/mypasswd file.

Then use this file name as the argument for the -p option of the agentadm
command.

• The auto-reg-token registration token from the /var/opt/sun/xvm/

persistence/scn-proxy/[Link] file on the appropriate
Proxy Controller – If you decide not to use user credentials to configure your Agent
Controller software, use this token to populate the /var/tmp/OC/mytoken file.
Then use this file name as the argument for the agentadm -t option.

• IP address or host name of the Proxy Controller with which you will associate the
Agent Controller – Use this IP address or host name as the argument for the
agentadm -x option. Typically, you would associate the Agent Controller with
the Proxy Controller that is connected to the same subnet as the target system.

• The IP address of the network interface that the Agent Controller will use for
registration – Use this IP address as the argument for the agentadm -a option.
Some example agentadm commands in this procedure use the alternative
administrative user name droot. In these examples, the droot user exists on the
Enterprise Controller.

3-10 Security
About Authorization

When you install an Agent Controller on a global zone, the installation installs, or
upgrades to, Oracle Java Runtime Environment (JRE) 1.6.0_91. If a later version of JRE
is installed, the installation does not downgrade.

Using User Credentials to Install and Configure an Agent Controller Manually

Procedure for installing an Agent Controller manually.
This procedure creates a file that holds the password of the administrative user for
your Enterprise Manager Ops Center installation.

1. On the Enterprise Controller, change to the /var/opt/sun/xvm/images/

agent/ directory, and list the files that it contains to see the Agent Controller
installation archives. For example:

# cd /var/opt/sun/xvm/images/agent/
# ls
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
#

2. Identify the Agent Controller archive that is appropriate for the system where you
intend to install the Agent Controller, the target system. See Table 3-1 for a
description of the available packages.

Table 3-1 Agent Controller Packages and Their Operating System and
Architecture

File prefix Operating System / Architecture

[Link].i686 Oracle Linux/x86

[Link].i386 Oracle Solaris 10/x86

[Link] Oracle Solaris 10 / Oracle SPARC

[Link] Oracle Solaris 11 / x86 and Oracle SPARC

3. On the system where you want to install the Agent Controller, create the following
directory:

# mkdir /var/tmp/OC

4. Use scp or ftp to transfer the Agent Controller archive from the Enterprise
Controller to the /var/tmp/OC directory. Respond to any authentication or
confirmation prompts that are displayed. For example:

# scp [Link] root@[Link]:/var/tmp/OC

Password:
OpsCenterAgent.S 100% |
*********************************************************************| 187078 KB
00:32
#

5. Navigate to the /var/tmp/OC directory:

Security Features 3-11

About Authorization

# cd /var/tmp/OC
#

6. Use the unzip command to uncompress the Agent Controller archive. For
example:

# unzip [Link]
(output omitted)

7. If you are installing the Agent Controller on Oracle Solaris 8-10, run the install
-a script in the OpsCenterAgent directory. For example:

# OpsCenterAgent/install -a
Installing Ops Center Agent Controller.
No need to install 120900-04.
No need to install 121133-02.
No need to install 119254-63.
No need to install 119042-09.
No need to install 121901-02.
No need to install 137321-01.
Installed SUNWjdmk-runtime.
Installed SUNWjdmk-runtime-jmx.
(output omitted)
6 patches skipped.
19 packages installed.
Installation complete.
Detailed installation log is at /var/scn/install/log.
Uninstall using /var/scn/install/uninstall.

If you are installing the Agent Controller on Oracle Solaris 11, run the install
command with the -p option and specify the IP address. The command configures
a local IPS repository using the IP address. For example:
# OpsCenterAgent/install -p [Link]

If you are installing an Oracle VM Server Virtualization Controller Agent, use the -
l (or --ldom) option.

8. Create an empty file named /var/tmp/OC/mypasswd, and set its permission

mode to 400. For example:

# touch /var/tmp/OC/mypasswd
# chmod 400 /var/tmp/OC/mypasswd

9. Edit the /var/tmp/OC/mypasswd file to add the password for the administrative
user that exists on the Enterprise Controller to which the Proxy Controller is
connected. The following echo command appends the password to
the /var/tmp/OC/mypasswd file. Replace the password with the correct
password. For example:

# echo 'password' > /var/tmp/OC/mypasswd

10. Use the agentadm command to associate the Agent Controller with the Proxy
Controller.

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure

• Linux OS: /opt/sun/xvmoc/bin/agentadm configure

The example commands below use the following options:

3-12 Security
About Authorization

• -u: Specifies the administrative user that exists on the Enterprise Controller to
which the Proxy Controller is connected. Be certain that the password that you
specified in the /var/tmp/OC/mypasswd file is correct for the user that you
specify for this option.

Note:
The examples use droot as the administrative user.

• -p: Specifies the absolute path name of the file that contains the password for
the user that you specified with the -u option.

• -x: Specifies the IP address or host name of the Proxy Controller to which this
Agent Controller will connect.

• -a: Specifies the IP address to use during Agent Controller registration. This
selects the network interface that the Agent Controller will use for registration.
Accept the server's certificate when prompted. For example:
# /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x
[Link]
agentadm: Version 1.0.3 launched with args: configure -u droot -p /var/tmp/OC/
mypasswd -x [Link]
workaround configuration done.
Certificate:
Serial Number: 947973225
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_Agent Controller
Not valid before: Thu Jun 19 [Link] MDT 1969
Not valid after: Thu Apr 19 [Link] MDT 2029
Certificate:
Serial Number: 1176469424
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_ca
Not valid before: Thu Jun 19 [Link] MDT 1969
Not valid after: Thu Apr 19 [Link] MDT 2029
Accept server's certificate? (y|n)
y
Connection registered successfully.
scn-Agent Controller configuration done.
Checking if UCE Agent Controller process is still running, it may take a
couple of minutes ...
Process is no longer running
UCE Agent Controller is stopped.
UCE Agent Controller is in [online] state.
Checking if UCE Agent Controller process is up and running ...
The process is up and running.
UCE Agent Controller is started.
Added the zone configuration automation successfully.
Added the service tags recreate script successfully.
#

Error messages similar to Connection cannot be registered in the following

example typically indicate problems with the user credentials that you specified
in the agentadm command. In this example, the user droot was not
authenticated on the Enterprise Controller. If you see this error, check that the
user name that you supplied for the agentadm -u option, and the password in

Security Features 3-13

About Authorization

the file that you specified for the agentadm -p option, match an existing
administrative user on the Enterprise Controller.
Accept server's certificate? (y|n)
y
Error with connection to CRS: [Link]:
droot, Code: 4, Code: 4
ERROR : Connection cannot be registered.
Code--2
sc-console registration failed on [2].
sc-console : User authentication error.
Error executing step : sc_console

If the system where you are installing the Agent Controller has multiple active
network interfaces, you can use the -a option to specify the IP address of the
interface that you want to use for Agent Controller registration. For example:
# /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x
[Link] -a [Link]
(output omitted)

11. If you encountered a Connection cannot be registered error message from the
agentadm command, use agentadm to unconfigure the Agent Controller. For
example:

# /opt/SUNWxvmoc/bin/agentadm unconfigure
agentadm: Version 1.0.3 launched with args: unconfigure
verified sc_console command is OK
End of validation
{output omitted}
End of configuration.

After the Agent Controller has been unconfigured, correct the problem that was
indicated by the error message, and re-run the agentadm configure command.

12. Use the sc-console command to list the Agent Controller connection. For
example:

# sc-console list-connections
scn-Agent Controller [Link]
urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
#

Using a Token to Install and Configure an Agent Controller Manually

Procedure to install an Agent Controller.
This procedure uses a token to configure your Agent Controller software.

1. On the Enterprise Controller, change to the /var/opt/sun/xvm/images/

agent/ directory, and list the files that it contains. This directory contains the
Agent Controller installation archives. For example:

# cd /var/opt/sun/xvm/images/agent/
# ls
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
#

3-14 Security
About Authorization

2. Identify the Agent Controller archive that is appropriate for the system where you
intend to install the Agent Controller. See Table 3-1 for a description of the
available packages.

3. On the system where you want to install the Agent Controller, create the following
directory:

# mkdir /var/tmp/OC

# scp [Link] root@[Link]:/var/tmp/OC

Password:
OpsCenterAgent.S 100% |
*********************************************************************| 187078 KB
00:32
#

5. On the target system, change to the /var/tmp/OC directory.

# cd /var/tmp/OC
#

6. Use the unzip command to uncompress the Agent Controller archive. For
example:

# unzip [Link]
(output omitted)

7. If you are installing the Agent Controller on Oracle Solaris 8-10, run the install
-a script in the OpsCenterAgent directory. For example:

8. On the Proxy Controller that will communicate with this Agent Controller instance,
examine the /var/opt/sun/xvm/persistence/scn-proxy/

Security Features 3-15

About Authorization

[Link] file. The last line in this file contains the auto-reg-
token that is required for Agent Controller registration. For example:

# cat /var/opt/sun/xvm/persistence/scn-proxy/[Link]
#Generated by a program. Do not edit. All manual changes subject to deletion.

(output omitted)

trust-store=/var/opt/sun/xvm/security/jsse/scn-proxy/truststore
auto-reg-token=abcdef12-1700-450d-b038-ece0f9482474\:1271743200000\:T
#

9. On the system where you have installed the Agent Controller software, create an
empty file named /var/tmp/OC/mytoken, and set its permission mode to 400.
For example:

# touch /var/tmp/OC/mytoken
# chmod 400 /var/tmp/OC/mytoken

10. Edit the /var/tmp/OC/mytoken file so that it contains the auto-reg-token string
from Proxy Controller with the following changes:

• Remove the auto-reg-token=.

• Remove any backslash characters from the token string. For example:
abcdef12-1700-450d-b038-ece0f9482474:1271743200000:T

11. Use the agentadm command to associate the Agent Controller with a Proxy
Controller.

• Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure

• Linux OS: use the /opt/sun/xvmoc/bin/agentadm configure

The example commands use the following options:

• -t: specifies the absolute path name of the file that contains the registration
token.

• -x: specifies the IP address or host name of the Proxy Controller to which this
Agent Controller will connect.

• -a: specifies the IP address to use during Agent Controller registration. This
selects the network interface that the Agent Controller will use for registration.
Accept the server's certificate when prompted. For example:
# /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x [Link]
agentadm: Version 1.0.3 launched with args: configure -t /var/tmp/OC/mytoken -
x [Link]
workaround configuration done.

Certificate:
Serial Number: 947973225
Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_Agent Controller
Not valid before: Thu Jun 19 [Link] MDT 1969
Not valid after: Thu Apr 19 [Link] MDT 2029

Certificate:
Serial Number: 1176469424

3-16 Security
About Authorization

Version: 3
Issuer: CN=flyfishing_scn-proxy_ca
Subject: CN=flyfishing_scn-proxy_ca
Not valid before: Thu Jun 19 [Link] MDT 1969
Not valid after: Thu Apr 19 [Link] MDT 2029

Accept server's certificate? (y|n)

y
Connection registered successfully.
scn-Agent Controller configuration done.
Checking if UCE Agent Controller process is still running, it may take a
couple of minutes ...
Process is no longer running
UCE Agent Controller is stopped.
UCE Agent Controller is in [online] state.
Checking if UCE Agent Controller process is up and running ...
The process is up and running.
UCE Agent Controller is started.
Added the zone configuration automation successfully.
Added the service tags recreate script successfully.
#

If the system where you are installing the Agent Controller has multiple active
network interfaces, you can use the -a option to specify the IP address of the
interface that you want to use for Agent Controller registration. For example:
# /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x [Link] -a
[Link]
(output omitted)

12. If you encountered a Connection cannot be registered error message from the
agentadm command, use agentadm to unconfigure the Agent Controller. For
example:

# /opt/SUNWxvmoc/bin/agentadm unconfigure
agentadm: Version 1.0.3 launched with args: unconfigure
verified sc_console command is OK
End of validation

{output omitted}
End of configuration.

After the Agent Controller has been unconfigured, correct the problem that was
indicated by the error message, and re-run the agentadm configure command.

13. Use the sc-console command to list the Agent Controller connection. For
example:

# sc-console list-connections
scn-Agent Controller [Link]
urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
#

Changing Credentials of Managed Assets

Lists the procedures for managing the credentials for assets.
The information is this section is also in the Oracle Enterprise Manager Ops Center
Configure Reference.

Security Features 3-17

About Authorization

Topics

• Upgrading Management Credentials From a Previous Version

• Updating Management Credentials

• Creating Management Credentials

• Editing Management Credentials

• Copying Management Credentials

• Deleting Management Credentials

Preparing to Use sudo

Procedure to enable escalation of SSH credentials on discovered assets in Oracle
Enterprise Manager Ops Center.
1. Log into the asset as root.

2. Enter the visudo command to edit the asset’s sudoers file safely.

3. Edit the sudoers file to conform with the example. Add the command aliases for
discovery and provisioning in the following way according to the operating system
of the asset and whether it :

• For agentless Oracle Solaris assets, add the SOLARIS_DISCOVERY section of

the file.

• For agent-managed Oracle Solaris assets, add the SOLARIS_DISCOVERY and

SOLARIS_PROVISIONING

• For agentless Oracle Linux assets, add the LINUX_DISCOVERY section of the
file.

• For agent-managed Oracle Linux assets, add the LINUX_DISCOVERY and

LINUX_PROVISIONING

4. In the ## User privilege specification section, add the name of the new
SSH credential that you created or will create using the procedure in “Creating
Management Credentials.”. Because a password is mandatory, do not add the
NOPASSWD parameter.

5. Save and close the file.

6. Repeat this procedure on each asset.

Example 3-1 Format of sudoers File for Ops Center

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification

3-18 Security
About Authorization

##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
User_Alias OPSCENTER = <username>

##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.

Cmnd_Alias SOLARIS_DISCOVERY = /sbin/ifconfig -a, \

/usr/sbin/virtinfo -ap, \
/usr/sbin/dladm, \
/opt/SUNWldm/bin/ldm

Cmnd_Alias SOLARIS_PROVISIONING = /usr/bin/sc-console, \

/var/scn/install/uninstall, \
/usr/sbin/zlogin, \
/bin/cat */opt/SUNWxvm/xvm_zone_id, \
/var/tmp/OpsCenterAgent/install, \
/opt/SUNWxvmoc/bin/agentadm, \
/usr/lib/cacao/bin/cacaoadm, \
/usr/bin/unzip -q -o -d /var/tmp/ /var/tmp/OpsCenterAgent*

Cmnd_Alias LINUX_DISCOVERY = /sbin/ifconfig -a, \

/usr/sbin/virtinfo -ap

Cmnd_Alias LINUX_PROVISIONING = /usr/bin/sc-console, \

/var/scn/install/uninstall, \
/tmp/OpsCenterAgent/install, \
/opt/sun/xvmoc/bin/agentadm, \
/opt/sun/cacao2/bin/cacaoadm, \
/usr/bin/unzip -q -o -d /tmp/ /tmp/OpsCenterAgent*

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##

Security Features 3-19

About Authorization

## Allow sudo-run commands to inherit the callers' ConsoleKit session

# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
Defaults logfile=/var/log/[Link]

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL

## The password of OPSCENTER must be mandatory.

OPSCENTER ALL=(root) SOLARIS_DISCOVERY,SOLARIS_PROVISIONING

## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command

# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d

## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

Upgrading Management Credentials From a Previous Version

Procedure for use new credentials to manage assets discovered by an earlier version of
Oracle Enterprise Manager Ops Center.
Assets that were discovered and managed in prior versions of Enterprise Manager
Ops Center might not have management credentials associated with them. You can
associate new or existing sets of credentials with these assets.
If a discovered asset is blacklisted, the same can be removed by updating the
management credentials.
To upgrade management credentials, perform the following steps:

1. On the Navigation pane, select All Assets.

2. In the Actions pane, click Upgrade Management Credentials.

3-20 Security
About Authorization

3. Select an asset category: operating systems; servers; or chassis, m-series, and

switches.

4. Select one or more assets of that category.

• To assign an existing set of credentials, select Assign existing set and then select
an existing set of credentials.

• To assign a new set of credentials, select Create and assign new set and then
enter a protocol, name, and credential information.

Updating Management Credentials

Procedure for updating credentials used to manage an asset.
You can change the set of management credentials used by an asset or group of assets.
To update management credentials, perform the following steps:

1. On the Navigation pane, select an asset or group.

2. In the Actions pane, click Update Management Credentials.

Figure 3-4 Wizard for Update Management Credentials

3. Select the credentials that you want to change. You can select more than one type of
credentials.

4. Click Modify the current credential values.

5. Edit the username and/or password.

Note:
If you are modifying the SNMPv3 credentials, then you can edit the username,
authentication protocol, authentication password, privacy protocol, or privacy
password.

6. Click Finish to submit the change.

Creating Management Credentials

Procedure for creating credentials used to manage an asset.

Security Features 3-21

About Authorization

You can create a new set of management credentials. These credentials can then be
used to discover and manage new assets or to manage existing assets.
To create management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.

2. In the Actions pane, click Create Credentials.

3. Click on the drop-down list to see the list of available protocols. Accept the default
SSH protocol or select a different protocol. Depending on the type of protocol you
select, the remaining fields change to collect the required information for the
credentials. For specific examples, see Creating SSH Credentials or Creating
SNMPV3 Credentials.

4. Specify a name and description, such as the purpose of the credentials.

5. Select or specify the required information for the type of credential, such as the
username and password.

6. Click Create to create the management credentials.

The new credentials are now available to be used in discovery profiles.

Creating SSH Credentials
Create a set of SSH credentials to discover and manage new assets or to manage
existing assets.

The default protocol for managing assets is SSH. To create SSH credentials, perform
the following steps:

1. On the Navigation pane, under Administration, select Credentials.

2. In the Actions pane, click Create Credentials.

3. Specify a name and description, such as their purpose for the credentials.

4. Specify the username and password.

5. Accept the default authentication type or choose one of the alternatives. Each type
has different requirements for authentication.

• Password: This is the default type of authentication and requires a login

username and password.

• Custom SSH Key: Creates a public SSH key by specifying the Login User name,
a Private Key file name, and a passphrase. In the Private Key File on Proxy
Controller(s) field, accept the default file or change it to refer to other keys. The
Proxy Controller installs the SSH public key on the asset's privileged user's
authorized SSH key.

• Ops Center Key: Oracle Enterprise Manager Ops Center generates a new SSH
key pair, based on the username you provide, and installs the public key in the
asset’s login account during discovery. This method requires a set of credentials
to begin the discovery. After discovery, the SSH key pair is used. This method
does not provide a way to escalate privileges.

6. You can allow the new account to use escalated privileges. The default method is to
not allow a change in privileges. The alternatives are to specify a role for the
account or to add sudo to the account.

3-22 Security
About Authorization

• If you choose the Role method, the Privileged Role field is displayed. Enter the
name of an Ops Center role and specify a password. The new account has this
level of access.

• If you choose the Sudo method, the Privileged Role field is displayed. Enter the
name of an Ops Center account and specify a password. This account must be
included in the asset’s /etc/sudoers file. The privileges defined in the /etc/
sudoers file will be used by the new account. See “Preparing to Use sudo” for
instructions in creating this file. You can edit this file after you complete this
procedure, but the Ops Center account must be in the file before the new
credentials are effective.

7. Accept the default port for SSH of 22, unless your site has a different requirement.

8. Click Create to create the management credentials.

For more information on creating SSH Credentials, see Oracle Enterprise Manager
Ops Center Configuration Reference.

Creating SNMPV3 Credentials

Procedure for creating credentials for accessing assets in Oracle Enterprise Manager
Ops Center.
Create a set of management credentials to discover and manage new assets or to
manage existing assets.
To create credentials that use the SNMPV3 protocol, perform the following steps:
1. On the Navigation pane, under Administration, select Credentials.

2. In the Actions pane, click Create Credentials.

3. Click on the drop-down list to see the list of available protocols. Click SNMPV3.

4. Specify a name and description, such as their purpose for the credentials.

5. Specify the user name with the prefix OC for the credential.

Note:
The user name for SNMPV3 protocol is always prefixed with OC.

6. Accept the default authentication protocol, MD5, or choose SHA, which is a

stronger authentication protocol.

7. Enter a password for authentication.

8. Accept the default privacy protocol, DES, or choose AES, which is a stronger
encryption protocol.

9. Enter a password for encryption.

10. Click Create to create the management credentials.

For more information on creating SSH Credentials, see Oracle Enterprise Manager
Ops Center Configuration Reference.

Editing Management Credentials

Procedure for changing the credentials that manage and asset.

Security Features 3-23

About Authorization

You can edit an existing set of management credentials to reflect changes to the
managed assets.
To edit management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.

2. In the center pane, select a set of credentials and click the Edit Credentials icon.

3. Edit the description and the information required by the protocol, then click
Update to save the changes.

Copying Management Credentials

Procedure for duplicating credentials used to manage an asset.
You can copy an existing set of management credentials to create a new set.
To copy management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.

2. In the center pane, select a set of credentials and click the Copy Credentials icon.

3. Edit the name, description, and the information required by the protocol, then click
Copy to save the new set of credentials.

Deleting Management Credentials

Procedure for removing credentials used to manage an asset.
You can delete an existing set of management credentials. Discovery profiles that use
the credentials might no longer function, and Agentless assets that are managed using
the credentials must be given a new set.
To delete management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.

2. In the center pane, select a set of credentials and click the Delete Credentials icon.

3. Click OK to delete the credentials.

Creating a Credential Plan

Procedure for creating a deployment plan for credentials.
As an alternative to using the Create Credential and Edit Credential actions, create
and apply a plan that updates credentials.

1. Expand Plan Management in the Navigation pane.

2. Scroll down to the Credentials section and click it.

3. Click Create Credentials in the Action pane.

4. Click the drop-down list of protocols to select the type of protocol. Enter a name
and description of the purpose of these credentials, for example, the type of asset
they support.

5. Enter the credentials.

3-24 Security
Configuring and Using Access Control

6. Click the Create button.

Applying the Credential Plan

Procedure for setting up credentials for an asset.
To apply a credential plan to an asset:

1. Expand Plan Management in the Navigation pane.

2. Scroll down to the Credentials section and click a plan.

The window displays the assets that use these credentials and are affected by any
change.

3. Click Apply.

About Certificates
Describes self-signed certificates.
By default, Oracle Enterprise Manager Ops Center uses self-signed certificates for
authentication between the web container and the browser client. Oracle Enterprise
Manager Ops Center does not provide certificates signed by a Certificate Authority
such as Verisign because an Authority requires the name of the domain where the
certificate will be used. The Oracle Enterprise Manager Ops Center software cannot be
delivered with a generated signed certificate because the domain where the Web
server of the Enterprise Controller runs is unknown until the customer installs the
software. However, after installation, use the procedure in Substituting Certificates for
the Glassfish Web Container to replace the self-signed certificate with a certificate
from a Certificate Authority.

Configuring and Using Access Control

Lists the procedures for configuring an asset so that it can be managed.
Access control allows a system to grant access to resources only in ways that are
consistent with security policies defined for those resources:

Topics

• Verifying Security of Session Cookies

• Setting the Expiration Time for Sessions

• Removing Code Examples

Verifying Security of Session Cookies

Procedure for displaying information about a certificate.
Oracle Enterprise Manager Ops Center uses cookies to store session data for
individual users. The cookies are encrypted using JSESSIONID and use the http-
only flag to deny access to scripting languages.
The HTTP protocol includes the TRACE method to echo input. Because it is possible to
use TRACE requests to view session cookies, Oracle Enterprise Manager Ops Center
redirects HTTP transactions to HTTPS where the TRACE method is disabled.
To confirm that TRACE is disabled, use the following command on the Enterprise
Controller's system or a Proxy Controller's system:

Security Features 3-25

Configuring and Using Data Protection

# curl -v --insecure -X TRACE [Link]

(output omitted)
HTTP/1.1 405 TRACE method is not allowed

Setting the Expiration Time for Sessions

Procedure for setting the activity timer for a session.
The browser controls a session's inactivity timer with a default time of 30 minutes.
Consider changing the expiration time to a shorter duration, using the following
procedure:
1. Click Setup in the title bar of the browser window.

2. Click My Preferences and then User Interface Preferences, as in Figure 3-5.

Figure 3-5 User Interface Preferences

3. In the Time Intervals section of the User Interface Preferences window, change the
value in the Session Timeout field.

Removing Code Examples

Procedure for removing code from the product’s command line interface.
The command-line interface includes code examples. If you consider these examples to
be a security risk, remove them with the following procedure:
1. Log in as root user.

2. Issue the following command:

rm -rf /opt/SUNWoccli/doc/examples

Configuring and Using Data Protection

Lists the procedures for backing up information about the assets.

Topics

• Using an NFS Server

• About Backing Up and Restoring the Enterprise Controller

Using an NFS Server

Procedure for setting up an NFS server for Oracle Enterprise Manager Ops Center.
NFS protocol requires agreement on the Domain Name System (DNS) that the NFS
server and NFS clients use. The server and a client must agree on the identity of the
authorized users accessing the share.
The Oracle Enterprise Manager Ops Center software prepares an NFS client to mount
the share. Use the following procedure to prepare the NFS server on an Oracle Solaris
10. The same procedure is also supported in Oracle Solaris 11 system, or you can use a
new procedure, described in Oracle Solaris Administration: ZFS File
Systems.

3-26 Security
Configuring and Using Data Protection

1. Create the directory to share, and set its ownership and permission modes. For
example:

# mkdir -p /export/lib/libX
# chmod 777 /export/lib/libX

2. Open the /etc/dfs/dfstab file on the NFS server.

3. Add an entry to share the directory. For example, to share the directory named /
export/lib/libX, create the following entry:

share -F nfs -o rw,"Share 0" /export/lib/libX

If you want the NFS share to be accessible from other network domains, use the rw
option to specify a list of allowed domains:
share -F nfs -o rw=IPaddress1,IPaddress2 "Share 0" export/lib/libX

4. Share the directory and then verify that the directory is shared. For example:

# shareall
# share
export/lib/libX rw, "Share 0"

The share now allows a root user on the NFS clients to have write privileges.

About Backing Up and Restoring the Enterprise Controller

Oracle Enterprise Manager Ops Center has several tools that can be used for disaster
recovery. These tools let you preserve Oracle Enterprise Manager Ops Center data and
functionality if the Enterprise Controller or Proxy Controller systems fail.
The information is this section is also in the Oracle Enterprise Manager Ops Center
Administration.
The ecadm backup and ecadm restore commands back up and restore the
Enterprise Controller. They also back up and restore the co-located Proxy Controller
unless otherwise specified. The proxyadm backup and proxyadm
restore commands back up and restore remote Proxy Controllers.
The ecadm backup command creates a tar file that contains all of the Oracle
Enterprise Manager Ops Center information stored by the Enterprise Controller,
including asset data, administration data, job history, and the database password, but
not including software and storage library contents. The proxyadm
backup command creates a tar file that contains all of the Oracle Enterprise Manager
Ops Center information stored by the Proxy Controller, including asset data. You can
specify the name and location of the backup file and the log file for each command.
Run the ecadm backup and proxyadm backup commands regularly and save the
backup files on a separate system.
If the Enterprise Controller system fails, you can use the ecadm restore command
and the backup file to restore the Enterprise Controller to its previous state on the
original system or on a new system. The ecadm restore command accepts the name
of the backup file as input, and restores the Enterprise Controller to the state it had at
the time of the backup.
If you are restoring the Enterprise Controller on a new system, you must verify that
the new system is compatible.

Security Features 3-27

Configuring and Using Data Protection

• The new system must have the same architecture and operating system as the old
system. It is recommended that the operating system versions be identical,
including updates and SRUs.

• The host name of the new system should be the same as the old system. You can
change the host name of the new system, provided the old host name is added as
an alias host name in the new system.

• The IP address of the new system can be different. If the new system has a different
IP address, the restore process includes a step to configure any remote Proxy
Controllers to use the new Enterprise Controller IP address. The MAC address of
the new system can be different.

• The new system's Enterprise Controller software version must also match those of
the backed up system.
For a regular back up and restore procedure, the IP address and the host name of the
new system should match that of the old system. For a disaster recovery procedure,
the IP address and the host name of the new system can be different than that of the
old system.
If a remote Proxy Controller system fails, you can use the proxyadm
restore command and the backup file to restore the Proxy
Controller. The proxyadm restore command accepts the name of the backup file as
input, and restores the Proxy Controller to the state it had at the time of the backup.
Some of the procedures described in this section use the ecadm and proxyadm
commands. See the Oracle Enterprise Manager Ops Center Administration for more
information about these commands.

• On Oracle Solaris systems, these commands are in the /opt/SUNWxvmoc/bin/

directory.

• On Linux systems, these commands are in the /opt/sun/xvmoc/bin/ directory.

The following features and topics are covered in this chapter:

• Backing Up an Enterprise Controller

• Restoring an Enterprise Controller

Backing Up an Enterprise Controller

You can create a backup for the Enterprise Controller using the ecadm command with
the backup subcommand.
You can create a backup for the Enterprise Controller using the ecadm command with
the backup subcommand.

Note:
The ecadm backup command does not back up the /var/opt/sun/xvm/
images/os directory because the size of some of the OS image files in this
directory can be prohibitively large.
In addition to running the ecadm backup command, back up
the /var/opt/sun/xvm/images/os directory and archive the files to
another server, file-share facility, or a location outside of the /var/opt/sun
directory.

3-28 Security
Configuring and Using Data Protection

By default, the server data is saved in a backup file in the /var/tmp directory with a
file name that includes a date and time stamp. You can define the file name and
location during the backup, as shown in the example below.
If you are using an embedded database, the backup file includes the product schema
from the embedded database. If you are using a customer-managed database, you can
back up the database schema using the --remotedb option, or you can use the
existing backup and recover processes implemented by your database administrator.

1. From the command line, log in to the Enterprise Controller system.

2. Use the ecadm command with the backup subcommand to back up the Enterprise
Controller.

The following options can be used with the ecadm command:

• -o|--output <backup file>: Specify the file in which the backup archive is
generated. Do not specify a path inside the /opt/*xvm* directories. The
default output file is /var/tmp/sat-backup-<date>-<time>.tar.

• -l|--logfile <logfile>: Save output from command in <logfile>. Log files are
stored in the /var/tmp/ directory.

• -d|--description <description string>: Embed the <description string> as the

description of the backup archive.

• -r|--remotedb: If the Enterprise Controller uses a customer-managed database,

export the database schema to a .dmp file in the Oracle Enterprise Manager
Ops Center dump directory on the database server. This directory
is /var/tmp/ocdumpdir in the examples used in the installation
documentation, but any directory can be specified as the dump directory during
installation and configuration. The .dmp file lets the restore operation restore
the database schema. This option only backs up the Oracle Enterprise Manager
Ops Center database schema; other schemas and data are not included.

• -t|--tag <tag>: Embed <tag> as a single-word tag in the backup archive

• -T|--tempdir <dir>: Specify the temporary staging directory location.

• -v|--verbose: Increase verbosity level. This option may be repeated.

For example:
ecadm backup -o /var/backup/[Link]
ecadm: using logFile = /var/opt/sun/xvm/logs/sat-backup-2012-12-17-[Link].log
ecadm: *** PreBackup Phase
ecadm: *** Backup Phase
ecadm: *** PostBackup Phase
ecadm: *** Backup complete
ecadm: *** Output in /var/backup/[Link]
ecadm: *** Log in /var/opt/sun/xvm/logs/sat-backup-2012-12-17-[Link].log

3. Copy the backup file to a separate system.

4. Start the Enterprise Controller by running the ecadm command with

the start subcommand and the -w option.

For example:
ecadm start -w

Security Features 3-29

Configuring and Using Data Protection

Restoring an Enterprise Controller

You can use a backup file to restore the state of the Enterprise Controller to the state it
had at the time of the backup.
This procedure restores the data from the backup file, which is the archive created by
the backup operation. It also defines the procedure to change the IP address of an
Enterprise Controller.
If you are using an embedded database, the restore process restores the product
schema from the embedded database. If you are using a customer-managed database,
you can use the --remotedb option to restore the product schema on the customer-
managed database, or do not use this option to restore the Enterprise Controller
without restoring the database.

Note:

Before you restore on a system, you must uninstall any previously existing
Enterprise Controllers, Proxy Controllers, and Agent Controllers from the
system.

1. Prepare the Enterprise Controller system.

• If you are restoring the backup on a new system, then the new system must
have the same architecture and operating system as the old system. It is
recommended that the operating system versions be identical, including
updates and SRUs. The new system's host name and Enterprise Controller
software version must also match those of the backed up system. If the host
name does not match, add the old host name as an alias to the /etc/hosts file.

• If you are restoring the backup on the same system, but the software has
become corrupt or an upgrade failed, uninstall the Enterprise Controller
software.
Run the install script with the -e and -k options. The -e option uninstalls
the Enterprise Controller and co-located Proxy Controller, and the -k option
preserves the Oracle Configuration Manager software. For example:
# cd /var/tmp/OC/xvmoc_full_bundle
# install -e -k

2. Install the Enterprise Controller to the same version that was running when the
backup was made, but do not configure the Enterprise Controller, as the ecadm
restore command restores your configuration settings.

• Oracle Solaris OS: See Oracle Enterprise Manager Ops Center Installation for Oracle
Solaris Operating System.

• Linux OS: See Oracle Enterprise Manager Ops Center Installation for Linux
Operating Systems.

3-30 Security
Configuring and Using Data Protection

Note:

If you are using a customer-managed database which is still functioning, the

Enterprise Controller installation procedure indicates several steps that you
must skip and an additional option that you must use to avoid overwriting
your existing database schema.

3. Run the ecadm command with the restore subcommand and the -i <backup
directory location and file name> flag.

The following options may be used with the ecadm command:

• -i|--input <backup file>: (Required) Specify the location of the backup file.

• -l|--logfile <logfile>: Save output from command in <logfile>. Log files are
stored in the /var/tmp/ directory.

• -r|--remotedb: If the Enterprise Controller uses a customer-managed database,

this option restores the product schema on that database. If you are restoring on
a new database system, copy the .dmp file from the /var/tmp/ocdumpdir
directory that corresponds with your backup file to the new system and verify
that it is owned by the oracle user on the new system.

• -e|--echa: If the Enterprise Controller is configured in HA mode, this option

indicates that the co-located Proxy Controller should not be restored.

• -d|--tempdir <dir>: Specify the temporary staging directory location.

• -v|--verbose: Increase verbosity level (may be repeated)

For example:
restore -i /var/backup/[Link]
ecadm: using logFile = /var/opt/sun/xvm/logs/sat-restore-2012-12-17-[Link].log
ecadm: *** PreRestore Phase
ecadm: *** Restore Phase
ecadm: *** PostRestore Phase
ecadm: *** Log in /var/opt/sun/xvm/logs/sat-restore-2012-12-17-[Link].log

4. For an Enterprise Controller with an enabled co-located Proxy Controller, the

restore should restore and start the co-located Proxy Controller. The co-located
Proxy Controller starts only if the Proxy Controller was enabled during the backup
procedure. Check the co-located Proxy Controller's status using
the proxyadm command with the status subcommand. If the Proxy Controller is
stopped, restart it using the proxyadm command with the start subcommand
and the -w option.

# proxyadm status
offline
# proxyadm start -w
proxyadm: Starting Proxy Controller with SMF...
proxyadm: Proxy Controller services have started

5. If you restored the Enterprise Controller on a new system, restart each remote
Proxy Controller to use the new Enterprise Controller.

a. Stop the Proxy Controller using the proxyadm command with

the stop subcommand and the -w option. For example:

Security Features 3-31

Configuring and Using Data Protection

# proxyadm stop -w

b. On the remote Proxy Controller, update the /var/opt/sun/xvm/

persistence/scn-proxy/[Link] URL property to
point to the IP address of the new Enterprise Controller. Update this URL
property through the command line interface using the proxyadm command
with the update subcommand and the -s option:
proxyadm update -s|--satellite-ip <ip>

c. Restart the Proxy Controller using the proxyadm command with

the start subcommand and the -w option. For example:
# proxyadm start -w

6. Restart the co-located Agent Controllers using the agentadm command with
the start subcommand and the -w option. For example:

/opt/SUNWxvmoc/bin/agentadm start -w

Note:

After restoring the Enterprise Controller, the asset details might take several
minutes to display completely in the user interface.

Note:

During the database schema restore, an import log is created. The name of the
import log appears in the Enterprise Controller restore log file with
the OC_import<timestamp>.log format. You can check the progress of the
database import status using this import log.

Example: Restoring an Enterprise Controller With an Embedded Database

Sample command for restoring an Enterprise Controller.
In this example, the ecadm restore command includes options to set the restore in
verbose mode (-v), and to create a restore log (-l) for debugging purposes. The input (-
i) option specifies the backup file location.
# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/[Link] -l
[Link]

Example: Restoring an Enterprise Controller With a Customer-Managed Database

Sample command for restoring an Enterprise Controller.
In this example, the ecadm restore command includes the (-r) option to restore the
database schema on a customer-managed database. The input (-i) option specifies the
backup file location.
# /opt/SUNWxvmoc/bin/ecadm restore -i /var/tmp/OC/server1/[Link] -r

Example: Restoring an Enterprise Controller With a Customer-Managed Database Without

Restoring the Database Schema
Sample command for restoring an Enterprise Controller.

3-32 Security
Configuring and Using Data Protection

In this example, the ecadm restore command includes options to set the restore in
verbose mode (-v), and to create a restore log (-l) for debugging purposes. The input (-
i) option specifies the backup file location. The (-r) option is not included.
# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/[Link] -l
[Link]

Security Features 3-33

Configuring and Using Data Protection

3-34 Security
Index

Symbols backup and restore (continued)

restoring an Enterprise Controller, 3-30
/var/opt/sun/xvm/[Link], 2-24 Browsers, 2-31, 3-25

A C
Access control, 3-25 Certificate Authority, 2-7
Accounts Certificates
serial console, 3-7 expiration, 2-8
Activity, 1-24, 1-26, 1-27 Oracle Glassfish Server, 2-16
Agent Controllers cipher, 2-31
encryption, 2-30 Cipher, 2-32
installing, 3-10, 3-11, 3-14 Cloud, 3-5
log file, 1-27 Clusterware, 2-1
agentadm Code examples, 3-26
requirements, 3-10 Command line interface, 3-26
Apache UCE Container
Configuration, 2-34
certificates, 2-18 Connection modes
Architecture, 1-3 comparison, 2-21
Asset management
Console access, 3-8
credentials
Cookies, 3-25
copying, 3-24
Create Credentials, 3-8
creating, 3-21
Credentials
deleting, 3-24
applying a plan, 3-25
editing, 3-23 asset management
updatng, 3-21 copying, 3-24
upgrading, 3-20 creating, 3-21
Audit logs
creating a plan, 3-24
date and time, 1-25
deleting, 3-24
example, 1-25
editing, 3-23
[Link], 1-25
upgrading, 3-20
Authentication
authentication, 3-22, 3-23
Agent Controller, 1-4
creating, 3-22, 3-23
LDAP, 3-2
roles, 3-22
PAM, 3-4
SNMPV3, 3-23
Proxy Controller, 1-4
ssh, 3-7
Authorization, 3-5
SSH, 3-22
curl, 3-25
B
Backup, 3-26, 3-27 D
backup and restore
Data protection
backing up an Enterprise Controller, 3-28
NFS, 3-26

Index-1
Database J
accessing data, 2-35
credentials, 2-26, 2-27 Java Cryptography Extension, 2-32
customer-managed, 1-2 JCE, 2-32
embedded, 1-2 JMX, 2-30
encryption, 2-24 Jurisdiction policy files, 2-32
local, 1-2, 2-24
log file, 1-27 K
remote, 1-2, 2-4, 2-24
Date and time, 1-25 Keys, 2-7
Directory Server, 3-2, 3-3 Knowledge Base, 1-1
Disable Multiple Logins, 2-22
DMZ, 1-5 L
Domain model
Navigator, 2-29 LDAP, 3-2
Domain Model Navigator, 2-28 Listener Port, 2-35
Local database, 2-24
Log files
E audit log, 1-27
Encryption, 2-24, 2-31, 2-32 errors, 1-27
Enterprise Controller jobs, 1-27
backing up, 3-28 updates, 1-27
certificates, 2-7 Logging, 1-23, 1-27
configuration, 2-34 Logging in
High Availability, 2-2 multiple, 2-22
port, 1-5 Logs
private keys, 2-7 database, 1-27
restoring, 3-30 installation, 1-27, 2-23
server, 2-3
Enterprise Controllers M
certificates, 2-8
Expiration, 2-8 My Oracle Support, 3-5

F N
Firewalls Networks
ports, 1-5 Logs
web sites, 1-5 installation, 1-27, 2-23
OCDoctor, 2-23
separate, 2-2, 2-23
G NFS, 3-26
Glassfish, 2-16 NFS servers, 3-26

H O
High availability OCDB service name, 2-35
limitations, 2-2 Oracle SQL Developer, 2-35, 2-36
requirements, 2-2 Oracle*Net, 2-36
High Availability, 2-2 Oracle*Net Listener, 2-36
http-only, 3-25
P
I PAM
IAAS, 3-5 changing credentials, 3-4
Installation, 2-1, 2-5 Planning for security, 2-1
IPMI, 3-6 Plans
credentials, 3-25

Index-2
Ports, 1-5, 2-35 ssh (continued)
Privilege, 1-6 SSH
Product architecture, 2-5 key, 3-6
Product role, 1-1 sudo, 3-18
Proxy Controllers Storage, 2-3
certificates, 2-12 sudo, 3-18, 3-22
System properties, 3-7
R
T
Read-Only User Name, 2-35
Remote database, 2-4, 2-24 Timeout
Remote Directory Server, 3-2, 3-3 session, 3-26
Restore, 3-27 TLS
Restoring Apache UCE, 2-33
example, 3-32 Glassfish Web Container, 2-33
Role, 2-34 TRACE, 3-25
Roles Transport Layer Security, 2-6, 2-32
assign, 1-23 Types of security, 3-1
credentials, 3-22
root
U
SELINUX, 2-6
[Link], 2-32
S Upgrading the product, 1-5
User access, 1-6, 3-1
Safenet, 3-4 User roles
Session expiration, 3-26 assign, 1-23
Setting up, 1-5 useradd, 3-9
Setting up the product, 2-20
SNMPV3, 3-23
W
SQL, 2-24
SQL*Plus, 2-39 Web browsers, 2-31
ssh Web sites, 1-5
console access, 3-7 wget, 3-25

Index-3
Index-4

Ops Center Admin Guide 12c Release 3
No ratings yet
Ops Center Admin Guide 12c Release 3
198 pages
Oracle Linux KVM User Guide
No ratings yet
Oracle Linux KVM User Guide
52 pages
Oracle Linux: KVM User's Guide
No ratings yet
Oracle Linux: KVM User's Guide
54 pages
How To Make Bootable Pen-Drive For Solaris 11
No ratings yet
How To Make Bootable Pen-Drive For Solaris 11
136 pages
OVMM v3 - 4 E64082
No ratings yet
OVMM v3 - 4 E64082
516 pages
SGD - Installation Guide For Release 5 - 6 - F28100
No ratings yet
SGD - Installation Guide For Release 5 - 6 - F28100
56 pages
Guide For Developer J2ME 8.3 MEEDG
No ratings yet
Guide For Developer J2ME 8.3 MEEDG
162 pages
Virtual Desktop Infrastructure
No ratings yet
Virtual Desktop Infrastructure
368 pages
Netsuite FixedAssetsManagement
No ratings yet
Netsuite FixedAssetsManagement
155 pages
Netsuite Manufacturing
No ratings yet
Netsuite Manufacturing
173 pages
861 PeopleCode API Reference
No ratings yet
861 PeopleCode API Reference
3,364 pages
Custom Fields in Manufacturing Routing
No ratings yet
Custom Fields in Manufacturing Routing
209 pages
Security Administration Guide
No ratings yet
Security Administration Guide
416 pages
OFSAA Transfer Form User Guide
No ratings yet
OFSAA Transfer Form User Guide
128 pages
Oracle REST API Documentation
No ratings yet
Oracle REST API Documentation
323 pages
Xadmin User Guide - Ver7.1
No ratings yet
Xadmin User Guide - Ver7.1
310 pages
Enterprise Manager Cloud Control Licensing Information User Manual
No ratings yet
Enterprise Manager Cloud Control Licensing Information User Manual
288 pages
Network Virtualization 821-1458
No ratings yet
Network Virtualization 821-1458
408 pages
PeopleSoft Fluid Grids Standards Guide
No ratings yet
PeopleSoft Fluid Grids Standards Guide
41 pages
PeopleSoft HCM 9.2 Overview
No ratings yet
PeopleSoft HCM 9.2 Overview
1,892 pages
Managing File Systems in Oracle Solaris 11.4
No ratings yet
Managing File Systems in Oracle Solaris 11.4
94 pages
Oracle Database Admin II 1Z0-083 Guide
No ratings yet
Oracle Database Admin II 1Z0-083 Guide
2 pages
01 System Administration Guide Basic
No ratings yet
01 System Administration Guide Basic
464 pages
Job Data Modernization Red Paper
100% (1)
Job Data Modernization Red Paper
60 pages
SuiteScript Developer Guide 2025.1
No ratings yet
SuiteScript Developer Guide 2025.1
260 pages
Veeam Database Mounting Issues in JD Edwards
No ratings yet
Veeam Database Mounting Issues in JD Edwards
532 pages
MySQL Operator for Kubernetes Guide
No ratings yet
MySQL Operator for Kubernetes Guide
52 pages
Oracle Exadata Database Service Cloudcustomer
No ratings yet
Oracle Exadata Database Service Cloudcustomer
731 pages
Oracle Advanced Support Gateway Security Guide: Part No: E40643-49
No ratings yet
Oracle Advanced Support Gateway Security Guide: Part No: E40643-49
74 pages
NetSuite OneWorld User Guide 2024
No ratings yet
NetSuite OneWorld User Guide 2024
139 pages
JD Edwards OMW Guide 9.2
No ratings yet
JD Edwards OMW Guide 9.2
108 pages
JDE927 Server Manager Guide
No ratings yet
JDE927 Server Manager Guide
540 pages
Multiple Application Integration Guide: Oracle ATG One Main Street Cambridge, MA 02142 USA
No ratings yet
Multiple Application Integration Guide: Oracle ATG One Main Street Cambridge, MA 02142 USA
34 pages
NetSuite Authentication Guide 2021
No ratings yet
NetSuite Authentication Guide 2021
231 pages
Aetut 02
No ratings yet
Aetut 02
1 page
NetSuite OneWorld Guide
No ratings yet
NetSuite OneWorld Guide
132 pages
Netsuite CopyToAccount
No ratings yet
Netsuite CopyToAccount
16 pages
Financial Statements Guide
No ratings yet
Financial Statements Guide
78 pages
Oracle Financial Services Case Management Guide
No ratings yet
Oracle Financial Services Case Management Guide
253 pages
Hcm92hhat b012021
No ratings yet
Hcm92hhat b012021
296 pages
Oracle OFS Case Management User Guide
No ratings yet
Oracle OFS Case Management User Guide
222 pages
Oracle SuperCluster M7+M8 Security
No ratings yet
Oracle SuperCluster M7+M8 Security
138 pages
Oracle Key Vault Admin Guide 21.1
No ratings yet
Oracle Key Vault Admin Guide 21.1
533 pages
Oracle EAM User's Guide Release 12
No ratings yet
Oracle EAM User's Guide Release 12
626 pages
Oracle Global Trade Intelligence Guide
No ratings yet
Oracle Global Trade Intelligence Guide
38 pages
Oracle Fusion Applications Human Capital Management Reference Manual
No ratings yet
Oracle Fusion Applications Human Capital Management Reference Manual
710 pages
Administering ECC
No ratings yet
Administering ECC
42 pages
Managing User Accounts and User Environments in Oracle Solaris 11.4
No ratings yet
Managing User Accounts and User Environments in Oracle Solaris 11.4
46 pages
Exadata Database Machine Setup Guide
No ratings yet
Exadata Database Machine Setup Guide
434 pages
EMEA Veritas Training Schedule 2020
No ratings yet
EMEA Veritas Training Schedule 2020
7 pages
ZDLRA RA23 Installation Overview
100% (1)
ZDLRA RA23 Installation Overview
14 pages
Sun Server Support Consultant Guide
No ratings yet
Sun Server Support Consultant Guide
13 pages
Dell VxRail 8.x Support Matrix Guide
No ratings yet
Dell VxRail 8.x Support Matrix Guide
183 pages
SPARC T4-4 Server Pricing Insights
No ratings yet
SPARC T4-4 Server Pricing Insights
14 pages
Oracle Solaris 11 Features and Benefits
No ratings yet
Oracle Solaris 11 Features and Benefits
32 pages
Exadata Database Service Support Guide
No ratings yet
Exadata Database Service Support Guide
9 pages
ZFS Backup Appliance Overview
No ratings yet
ZFS Backup Appliance Overview
15 pages
VxRail 8.0 Release Notes Summary
No ratings yet
VxRail 8.0 Release Notes Summary
43 pages
Oracle VM Manager Guide 3.4 Overview
No ratings yet
Oracle VM Manager Guide 3.4 Overview
56 pages
Veritas Netbackup For Db2 Administrator'S Guide: Unix and Linux
No ratings yet
Veritas Netbackup For Db2 Administrator'S Guide: Unix and Linux
144 pages
Oracle FS1 Series Systems Presales Specialist
No ratings yet
Oracle FS1 Series Systems Presales Specialist
8 pages
11.0 - Introduction and Planning
No ratings yet
11.0 - Introduction and Planning
177 pages
11.0 - Administrators - Guide
No ratings yet
11.0 - Administrators - Guide
490 pages
11.0 - DA Reviewer Guide
No ratings yet
11.0 - DA Reviewer Guide
106 pages
HP Laptops SBS Promotion 11 July 2024
No ratings yet
HP Laptops SBS Promotion 11 July 2024
4 pages
Simatic Wincc v75 Sp1 Architectures en
No ratings yet
Simatic Wincc v75 Sp1 Architectures en
56 pages
Computer Arithmetic Operations Guide
100% (2)
Computer Arithmetic Operations Guide
49 pages
STEP7 TIA Portal V15 HSP en PDF
No ratings yet
STEP7 TIA Portal V15 HSP en PDF
22 pages
MS-CIT Satellite Center Registration 2025
No ratings yet
MS-CIT Satellite Center Registration 2025
3 pages
Customizing and Programming
No ratings yet
Customizing and Programming
328 pages
TUVR Protocol for FM-1000 and FM-750
0% (1)
TUVR Protocol for FM-1000 and FM-750
2 pages
AIX Multipathing Configuration Guide
No ratings yet
AIX Multipathing Configuration Guide
16 pages
Lenovo V310 15ISK 15IKB Platform Specifications
No ratings yet
Lenovo V310 15ISK 15IKB Platform Specifications
1 page
156-215.81 Exam Dumps and Questions
No ratings yet
156-215.81 Exam Dumps and Questions
26 pages
GPRS Modem Wizard Setup Guide
No ratings yet
GPRS Modem Wizard Setup Guide
7 pages
QCA700x Firmware Release Notes
No ratings yet
QCA700x Firmware Release Notes
27 pages
IEEE 802.11 WLAN Protocol Overview
100% (1)
IEEE 802.11 WLAN Protocol Overview
60 pages
E-commerce Infrastructure Overview
No ratings yet
E-commerce Infrastructure Overview
21 pages
Sanet - ST LinuxMagazineUSAIssue255February2022
No ratings yet
Sanet - ST LinuxMagazineUSAIssue255February2022
100 pages
Grade 9 Computer Studies Exam Paper
75% (4)
Grade 9 Computer Studies Exam Paper
2 pages
Deadlock and Memory Management Concepts
No ratings yet
Deadlock and Memory Management Concepts
2 pages
SDR Commissioning Zte
75% (4)
SDR Commissioning Zte
44 pages
Windows Server 2022 Setup Guide
No ratings yet
Windows Server 2022 Setup Guide
4 pages
InfoSec Career Guide: Learning 101
No ratings yet
InfoSec Career Guide: Learning 101
85 pages
Networking Infrastructure Assignment
0% (1)
Networking Infrastructure Assignment
39 pages
Bulk Import/Export Guide for Managers
No ratings yet
Bulk Import/Export Guide for Managers
11 pages
Connections and Settings: Communication Unit 560CMU02
No ratings yet
Connections and Settings: Communication Unit 560CMU02
5 pages
SYS600 - Programming Language SCIL
No ratings yet
SYS600 - Programming Language SCIL
380 pages
File Management Basics for Students
No ratings yet
File Management Basics for Students
20 pages
Introduction To Compication in Computing
No ratings yet
Introduction To Compication in Computing
67 pages
Jamf Command Line Cheat Sheet
No ratings yet
Jamf Command Line Cheat Sheet
3 pages
SUSE Linux Cluster
No ratings yet
SUSE Linux Cluster
392 pages
FPGA Summer Training Report 2025
No ratings yet
FPGA Summer Training Report 2025
18 pages
Rebooting NetAct Virtual Machines
No ratings yet
Rebooting NetAct Virtual Machines
2 pages