Credentials are the heart of OEM Cloud Control security. When an administrator logs into OEM Cloud Control, they are only allowed to view basic monitoring information that is collected by the Agent. Additional information that is obtained by connecting to the Oracle database instance is done through individual credentials for each user. This allows database developers, managers, and database administrators to connect to the Oracle database using their own credentials. This provides for security as well as auditing.
Credentials within OEM Cloud Control are now managed as named credentials, meaning that the credentials are saved with a name, thus allowing for easy management as well as credential sharing. Named credentials are saved and can be used to connect to targets. In addition, preferred credentials are used for default connectivity and are also saved in the OEM Repository. This allows for easy access as well as security.
A new feature of OEM Cloud Control 12c is the ability to share credentials. This allows the named credential created by one administrator to be shared with other administrators. There are several advantages and uses of credential sharing.
- Reduce password sharing The lead DBA is now the only person who needs to know the sys or system account passwords for an Oracle database. That information can be shared with other DBAs via credential sharing.
- Provide group permissions For example, a read-only database account can be created that is shared with developers and/or designers to allow them to have access to the database. This account can be given special privileges for monitoring SQL executions, and so on, as needed.
This is a significant new feature of OEM Cloud Control and is very useful for maintaining and enhancing OEM security.
Named Credentials are saved in the Repository database and associated with each administrator. These credentials can be database credentials, host credentials, and application credentials. Within these credentials is a username and password associated with the type of target that the credentials are designated for. A named credential can be used for both a single target or multiple targets, if they use the same username and password. In addition, in OEM Cloud Control 12c, the credentials can now be shared with other users by granting them access.
Named credentials are managed within OEM Cloud Control via the Security Named Credentials screen. This screen is accessed via the Setup menu by selecting Security | Named Credentials and is shown in Figure 1.
Here you can create new named credentials or edit existing named credentials. In order to delegate these named credentials to other administrators, you can use the Manage Access button to share access to this named credential. You can also delete and test named credentials from this screen.
In order to create a new named credential, click the Create button. This will invoke the Security: Create Credential screen as shown in Figure 2. Here you can create a named credential for a number of target types.
The Security: Create Credential screen will vary slightly based on the Authenticating Target Type that is selected. The Authenticating Target Type will determine the fields displayed in the Credential Properties section. The Access control section can be used to delegate this credential to others.
Preferred credentials are stored credentials that are assigned to specific targets. Preferred credentials can be set for specific targets and for general target types from within the Preferred Credentials tool. If preferred credentials are not set, you will be prompted for credentials when you try to access a target that requires credentials. To manage preferred credentials, select Security | Preferred Credentials from the Setup menu as shown in Figure 3. From this screen you can also set the MOS (My Oracle Support) Credentials.
As you can see, the different credential types are listed along with the total number of targets, the number of targets with credentials set, and the number of target types with default credentials. Highlight a Target Type and click the Manage Preferred Credentials button as shown in Figure 4.
From the Security: Database Instance Preferred Credentials screen, shown in Figure 4, you can see the default and target specific preferred credentials. From this screen you can set, clear, test and view references for the preferred credentials. All of the credentials are set up as named credentials. When setting a preferred credential, you can either choose to use an existing named credential or to create a new named credential. If a named credential has been delegated to your Administrator account, you can select that as a preferred credential as well.
If a preferred credential has been set for a specific target, that credential will be used. If there is not a preferred credential for the specific target, then the default preferred credential for that target type will be used. If there is no default preferred credential for that target type, then you will be prompted for credentials. In the prompt, there is usually a check box that allows you to save the credential as the preferred credential for that target.
Preferred credentials are essential for increasing the usability and security of the OEM Cloud Control environment. Preferred credentials should always be used for your administrator account.
Monitoring credentials are the credentials used for the Agent to monitor specific targets in the OEM Cloud Control environment. These credentials can be set by super administrators and work for each Agent. It is not necessary to set up monitoring credentials for each individual administrator account. To configure monitoring credentials, select Security | Monitoring Credentials from the Setup menu.
This will invoke the Security: Monitoring Credentials screen as shown in Figure 5. Here you will see the various Target Types that are being monitored as well as the total number of those targets. In order to set monitoring credentials, highlight the Target Type and click the Manage Monitoring Credentials button.
When you click the Manage Monitoring Credentials button, you will be taken to a screen that has the various targets for that target type listed. Select the specific target and click either Set Credentials, Clear, or Test. This will allow you to set up the monitoring credentials for that specific target. This is a much easier method of setting up and managing monitoring credentials than we had in Cloud Control.
The monitoring credentials are key to a well-functioning Cloud Control system and are easy to maintain. Be sure to coordinate changing the monitoring password in Cloud Control whenever you change passwords at the OS and database level. It is important to change passwords occasionally as part of a regular security regime.