Oracle® Enterprise Manager Cloud Control Extensibility Programmer's Reference 12c Release 2 (12.1.0.2) Part Number E25161-06 |
|
|
PDF · Mobi · ePub |
As part of the target type definition, you can define the types of credentials specific to the plug-in target type. Examples could be the username and password required by the plug-in to connect to a target instance to collect metric data, or to invoke a specific Enterprise Manager job.
The Enterprise Manager credential subsystem enables Enterprise Manager administrators to store credentials, in a secure manner, as preferences or operation credentials. The credentials can then be used to perform different system management activities, such as real-time monitoring, patching, provisioning, and other target administrative operations.
In this release, the credential subsystem supports the storing, accessing, and modifying of fixed number user name/password based credentials as preferred credentials, which other Enterprise Manager subsystems access to build automation solutions. The credential subsystem also supports sudo/powerbroker based impersonation support.
This chapter covers the following:
The following sections describe the concepts associated with credential service integration:
Credential Types
Credential type is the type of authentication supported by a target type. Various authentication schemes are supported, including native agent authentication and SSH. Fore more information, see Section 14.1.1, "Understanding Credential Types".
Named Credentials
A named credential is a users' authentication information on a system and can be a user name/password, a public key-private key pair, or an X509v3 certificate. For more information, see Section 14.1.2, "About Named Credentials".
Authentication Target Type
An authenticating target type is the target type that a credential can authenticate against. For more information, see Section 14.1.3, "Authenticating Target Types".
Credential Sets
The credential set is a placeholder for a credential and can be used to decouple credentials from the system that uses a credential. For more information, see Section 14.1.4, "Overview of Credential Sets"
Credential Store
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. For more information, see Section 14.1.5, "Using the Credential Store"
Credential Reference
The credential reference is a way to refer to a credential. For more information, see Section 14.1.6, "About the Credential Reference"
Credential type is the type of authentication supported by a target type. For example, a host can support a user name/password based authentication, public key authentication, or kerberos authentication. Various authentication schemes are supported, including native agent authentication and SSH.
The native agent authentication scheme employs a user name/password structure, while the SSH Key authentication scheme user a user name/private key/public key structure.
A named credential is a users' authentication information on a system. A named credential can be a user name/password, a public key-private key pair, or an X509v3 certificate. An Enterprise Manager administrator can store these credentials as named entities in Enterprise Manager to use when performing operations like running jobs, patching, and other system management tasks. For example, you can store the user name and password that you want to use for patching as MyPatchingCreds
. You can then later submit a patching job that uses MyPatchingCreds
to patch the production databases.
Named Credentials can be created for the credential types in Enterprise Manager 12c. The most commonly used credential types for host and database target types are described in the following sections.
For more information on named credentials, see the Configuring Security chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide. This can be found at the following location:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm
Host Credentials
Users can create named credentials by providing the username and password for the host. Privilege delegation properties such as run privilege, runas, and profile can also be provided.
SSH Key Credentials
Named credentials of type SSH Key credential can be created by providing the host username, SSH public key, and SSH private key. Privilege delegation properties such as run privilege, runas, and profile can be also be provided.
Database Credentials
Named credentials of this type can be created by providing the database username, password, and role.
Database Kerberos Credentials
Named credentials of this type can be created by providing the Kerberos user name and Kerberos password. Database Kerberos credentials can not be used in this release for automation purposes. These can be used only for user interface operations, such as logging in to the database and viewing pages.
Authenticating target type is the target type that a credential can authenticate against. For example, a SQLScript job has a host credential DBHostCreds
that is used to authenticate against the database host. Therefore, the target type for DBHostCreds
is Database Instance and the authenticating target type is Host.
The credential set is a placeholder for a credential. Credential sets can be used to decouple credentials from the system that uses a credential. For example, a patching job can be submitted to use the credential set "Normal Host Credentials" while being executed.
The "Normal Host Credentials" credential set can also be set to the actual named credential. The credential set to named credential mapping for the target can be changed without editing the system that uses the credential.
The credential store is a logical store for all the named credentials of an Enterprise Manager administrator in the Enterprise Manager. The Enterprise Manager administrator's user name has a logical private credential store. Individual credentials can be identified by credential names. Enterprise Manager administrators can add, edit, and delete named credentials in the credential store.
The credential reference is a way to refer to a credential. There are three ways credentials can be referenced:
Credential Name
The credential is referenced using the name of the credential in the credential store.
Credential Set
The credential is referenced using the credential set name and the target name. The lookup gets the credential associated with the credential set name and target name.
Direct
The credential is specified by providing the values of the attributes. This reference does not refer to a credential in the credential store.
Credential metadata is defined within the target type metadata file. See Section 3.3, "Creating the Target Type Metadata File" for details on this file.
All credential metadata for a target type is defined within a CredentialInfo
element. This element in turn contains the following subelements:
A CredentialType
element that defines the type of credentials to be used to access target instances
A CredentialSet
element that instantiates an instance of CredentialType
The following shows a basic example defining the credentials required to authenticate with hosts running instances of the target: username and password.
Example 14-1 Credential Metadata
<TargetMetadata> ... <CredentialInfo> <!-- The types of credentials: target host username/password --> <CredentialType NAME="HostCreds"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS">Host Credentials</Label> </Display> <CredentialTypeColumn NAME="HostUserName" IS_KEY="TRUE"> <Display> <Label NLSID="CREDS_HOST_USERNAME">UserName</Label> </Display> </CredentialTypeColumn> <CredentialTypeColumn NAME="HostPassword"> <Display> <Label NLSID="CREDS_HOST_Password">Password</Label> </Display> </CredentialTypeColumn> </CredentialType> <!-- The CredentialSet that creates an instance of CredentialType --> <CredentialSet NAME="HostCredsNormal" CREDENTIAL_TYPE="HostCreds" USAGE="PREFERRED_CRED"> <Display> <Label NLSID="CREDS_HOST_HOSTCREDS_NORMAL">Normal Host Credentials</Label> </Display> <CredentialSetColumn TYPE_COLUMN="HostUserName" SET_COLUMN="username"> <Display> <Label NLSID="CREDS_NORMAL_USER">Normal Username</Label> </Display> </CredentialSetColumn> <CredentialSetColumn TYPE_COLUMN="HostPassword" SET_COLUMN="password"> <Display> <Label NLSID="CREDS_NORMAL_PASSWORD">Normal Password</Label> </Display> </CredentialSetColumn> </CredentialSet> <CredentialInfo> ... </TargetMetadata>
The key elements that define credentials are described in the following table:
Table 14-1 Key elements in a plugin.xml file
Element | Required (Y/N) | Description |
---|---|---|
|
Y |
The root element for the credentials definition. Contains |
CredentialType |
Y |
Contains one or more |
|
Y |
Instatiates an instance of the credential set defined in
|
|
Y |
Subelement of CredentialType. Defines a single credential and maps that credential to its corresponding column in the CredentialType. It includes the following attributes:
|