14 Defining Credentials

As part of the target type definition, you can define the types of credentials specific to the plug-in target type. Examples could be the username and password required by the plug-in to connect to a target instance to collect metric data, or to invoke a specific Enterprise Manager job.

The Enterprise Manager credential subsystem enables Enterprise Manager administrators to store credentials, in a secure manner, as preferences or operation credentials. The credentials can then be used to perform different system management activities, such as real-time monitoring, patching, provisioning, and other target administrative operations.

In this release, the credential subsystem supports the storing, accessing, and modifying of fixed number user name/password based credentials as preferred credentials, which other Enterprise Manager subsystems access to build automation solutions. The credential subsystem also supports sudo/powerbroker based impersonation support.

This chapter covers the following:

Introduction to Security Concepts
Defining Credential Metadata

14.1 Introduction to Security Concepts

The following sections describe the concepts associated with credential service integration:

Credential Types

Credential type is the type of authentication supported by a target type. Various authentication schemes are supported, including native agent authentication and SSH. Fore more information, see Section 14.1.1, "Understanding Credential Types".
Named Credentials

A named credential is a users' authentication information on a system and can be a user name/password, a public key-private key pair, or an X509v3 certificate. For more information, see Section 14.1.2, "About Named Credentials".
Authentication Target Type

An authenticating target type is the target type that a credential can authenticate against. For more information, see Section 14.1.3, "Authenticating Target Types".
Credential Sets

The credential set is a placeholder for a credential and can be used to decouple credentials from the system that uses a credential. For more information, see Section 14.1.4, "Overview of Credential Sets"
Credential Store

The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. For more information, see Section 14.1.5, "Using the Credential Store"
Credential Reference

The credential reference is a way to refer to a credential. For more information, see Section 14.1.6, "About the Credential Reference"

14.1.1 Understanding Credential Types

Credential type is the type of authentication supported by a target type. For example, a host can support a user name/password based authentication, public key authentication, or kerberos authentication. Various authentication schemes are supported, including native agent authentication and SSH.

The native agent authentication scheme employs a user name/password structure, while the SSH Key authentication scheme user a user name/private key/public key structure.

14.1.2 About Named Credentials

A named credential is a users' authentication information on a system. A named credential can be a user name/password, a public key-private key pair, or an X509v3 certificate. An Enterprise Manager administrator can store these credentials as named entities in Enterprise Manager to use when performing operations like running jobs, patching, and other system management tasks. For example, you can store the user name and password that you want to use for patching as MyPatchingCreds. You can then later submit a patching job that uses MyPatchingCreds to patch the production databases.

Named Credentials can be created for the credential types in Enterprise Manager 12c. The most commonly used credential types for host and database target types are described in the following sections.

For more information on named credentials, see the Configuring Security chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide. This can be found at the following location:

http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm

Host Target Type

Host Credentials

Users can create named credentials by providing the username and password for the host. Privilege delegation properties such as run privilege, runas, and profile can also be provided.
SSH Key Credentials

Named credentials of type SSH Key credential can be created by providing the host username, SSH public key, and SSH private key. Privilege delegation properties such as run privilege, runas, and profile can be also be provided.

Database Target Type

Database Credentials

Named credentials of this type can be created by providing the database username, password, and role.
Database Kerberos Credentials

Named credentials of this type can be created by providing the Kerberos user name and Kerberos password. Database Kerberos credentials can not be used in this release for automation purposes. These can be used only for user interface operations, such as logging in to the database and viewing pages.

14.1.3 Authenticating Target Types

Authenticating target type is the target type that a credential can authenticate against. For example, a SQLScript job has a host credential DBHostCreds that is used to authenticate against the database host. Therefore, the target type for DBHostCreds is Database Instance and the authenticating target type is Host.

14.1.4 Overview of Credential Sets

The credential set is a placeholder for a credential. Credential sets can be used to decouple credentials from the system that uses a credential. For example, a patching job can be submitted to use the credential set "Normal Host Credentials" while being executed.

The "Normal Host Credentials" credential set can also be set to the actual named credential. The credential set to named credential mapping for the target can be changed without editing the system that uses the credential.

14.1.5 Using the Credential Store

The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. The Enterprise Manager administrator's user name has a logical private credential store. Individual credentials can be identified by credential names. Enterprise Manager administrators can add, edit, and delete named credentials in the credential store.

14.1.6 About the Credential Reference

The credential reference is a way to refer to a credential. There are three ways credentials can be referenced:

Credential Name

The credential is referenced using the name of the credential in the credential store.
Credential Set

The credential is referenced using the credential set name and the target name. The lookup gets the credential associated with the credential set name and target name.
Direct

The credential is specified by providing the values of the attributes. This reference does not refer to a credential in the credential store.

14.2 Defining Credential Metadata

Credential metadata is defined within the target type metadata file. See Section 3.3, "Creating the Target Type Metadata File" for details on this file.

All credential metadata for a target type is defined within a CredentialInfo element. This element in turn contains the following subelements:

A CredentialType element that defines the type of credentials to be used to access target instances
A CredentialSet element that instantiates an instance of CredentialType

The following shows a basic example defining the credentials required to authenticate with hosts running instances of the target: username and password.

Example 14-1 Credential Metadata

<TargetMetadata>

...
 <CredentialInfo>
 <!-- The types of credentials: target host username/password -->
  <CredentialType NAME="HostCreds">
   <Display>
    <Label NLSID="CREDS_HOST_HOSTCREDS">Host Credentials</Label>
   </Display>
   <CredentialTypeColumn NAME="HostUserName" IS_KEY="TRUE">
   <Display>
    <Label NLSID="CREDS_HOST_USERNAME">UserName</Label>
   </Display>
  </CredentialTypeColumn>
  <CredentialTypeColumn NAME="HostPassword">
   <Display>
    <Label NLSID="CREDS_HOST_Password">Password</Label>
   </Display>
  </CredentialTypeColumn>
 </CredentialType>
<!-- The CredentialSet that creates an instance of CredentialType -->
 <CredentialSet NAME="HostCredsNormal" CREDENTIAL_TYPE="HostCreds"
  USAGE="PREFERRED_CRED">
  <Display>
   <Label NLSID="CREDS_HOST_HOSTCREDS_NORMAL">Normal Host Credentials</Label>
  </Display>
  <CredentialSetColumn TYPE_COLUMN="HostUserName" SET_COLUMN="username">
   <Display>
    <Label NLSID="CREDS_NORMAL_USER">Normal Username</Label>
   </Display>
  </CredentialSetColumn>
  <CredentialSetColumn TYPE_COLUMN="HostPassword" SET_COLUMN="password">
   <Display>
    <Label NLSID="CREDS_NORMAL_PASSWORD">Normal Password</Label>
   </Display>
  </CredentialSetColumn>
 </CredentialSet>
<CredentialInfo>
...
</TargetMetadata>

14.2.1 Overview of Credential Elements

The key elements that define credentials are described in the following table:

Table 14-1 Key elements in a plugin.xml file

Element	Required (Y/N)	Description
`CredentialInfo`	Y	The root element for the credentials definition. Contains `CredentialType` and `CredentialSet` elements.
CredentialType	Y	Contains one or more `CredentialTypeColumn` elements, each defining a credential - such as "TargetUsername" or "TargetPassword" - to be used to access target instances.
`CredentialSet`	Y	Instatiates an instance of the credential set defined in `CredentialType`. It includes the following attributes: CREDENTIAL_TYPE Identifies the CredentialType this CredentialSet is created from. USAGE Values are MONITORING (default), which are used to directly connect to the target; PREFERRED_CRED, which are the user's preferred credentials; or SYSTEM, which are used by specialized applications like patching or cloning.
`CredentialSetColumn`	Y	Subelement of CredentialType. Defines a single credential and maps that credential to its corresponding column in the CredentialType. It includes the following attributes: `TYPE_COLUMN` Specifies the CredentialTypeColumn that this CredentialSetColumn maps to. `SET_COLUM` Identifies the column definition in the CredentialSet