Database Reference
In-Depth Information
EM Security Framework
Security is always on the top of anyone's mind given the power behind the EM CLI. The command line has access to
the entire monitored environment, so it's no surprise that this topic is included here.
As is standard with any Oracle security practice, hardening of servers
—
removing services and access to direct
OS-level files that are part of Oracle
—
is recommended as part of a security exercise.
Basic security design requires that we look from all monitored targets up through the Enterprise Manager
components, but there are white papers to address concerns outside of the EM CLI; we will focus on the command
line and Enterprise Manager in this section.
Security in the EM CLI
The security architecture for the EM CLI is built around the architecture in the Enterprise Manager 12c environment
and is often the first point of security concerns, as we've discussed above. The single point of access to the Enterprise
Manager via the EM CLI is the second concern. The credentials to the remote targets that you will be interacting with
via the EM CLI are the third level of access and are of even more concern, as these targets most likely include the
production targets of your database environment.
Secure Mode for EM CLI Setup
Looking at the second level of security, we will discuss what secure mode means in the EM CLI. Secure mode EM
CLI, which is the installation mode by default, does not store any Enterprise Manager or SSO passwords on local disk
or in logs and files.
By default, the EM CLI login automatically times out after reaching a set point for inactivity, and the user must log
in again before attempting to issue any other commands via the EM CLI.
If you wish to set up the EM CLI installation to log in automatically upon re-issue of a verb and demand an
explicit logout of the EM CLI, execute the following command:
> emcli setup
-noautologin
HTTPS Trusted Certificate
Setting up HTTPS trusted certificates first requires a quick check to verify it hasn't already been done. This can be
achieved with an EM CLI status after the following sync, as shown in Figure
2-17
:
> emcli status
Figure 2-17.
Issuing the status call from the EM CLI to view information about the Enterprise Manager Command-Line
Interface and https status
Search WWH ::
Custom Search