Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> OEM Tool - authentication methods
(Message started by: Pete Finnigan on May 17th, 2006, 10:25pm)

Title: OEM Tool - authentication methods
Post by Pete Finnigan on May 17th, 2006, 10:25pm
We use the OEM grid control tool to manage our databases.  This tool uses the oracle unix user ID and password to authenticate.  Is it possible to use another method of authentication such as public key authentication, etc. so that we can disable remote login capability from the OS while maintaining OEM functionality?  Security auditors don't like to see shared accounts such as oracle with direct login capability since it is difficult to identify the individual who is actually logging in.  We prefer to have a 'regular' user su to oracle which provides better tracking.

Title: Re: OEM Tool - authentication methods
Post by Pete Finnigan on May 17th, 2006, 11:06pm
Ric,

Are you talking about loging into the GC app itself, or ??

If you want to disable log ins to the server, you can (I believe)

1.  Create limited functionality users who will perform the jobs
2.  Use IP tables to allow ssh/telnet/rsh/etc. connections only from the specific the server running GC.

Title: Re: OEM Tool - authentication methods
Post by Pete Finnigan on May 18th, 2006, 2:46pm
No, I'm concerned with the method that OEM GC uses to connect to the oracle account on the unix host.  Our DBAs who use GC say that it requires a working unix oracle account password to work properly.  This creates a problem with our security policy which says that accounts shared by many people such as oracle or root must not be allowed to log in directly.  Instead, a user's personal account must be logged into first, and then the shared account can then be su'ed to.  This allows for better tracking.  I would prefer to disable direct logins to the oracle account but still let the DBAs use OEM, just without the usual password authentication.  Public key authentication would be preferred.  Thanks for your comments!

Title: Re: OEM Tool - authentication methods
Post by Pete Finnigan on May 30th, 2006, 5:59am
The prefered credential that you provide to Grid control for access should not be "oracle".  If you've preformed a standard installation, several possibilites exist for *nix authenticated users.

myaccount:dba -- An individual accout with os dba privilages.

myaccount:oper -- An individual account with os operator privilages.

myaccount:oinstall -- A single user should have access to this account for operations such as cloning $ORACLE_HOME(s)

Because Grid Control is an App Server application, all of the default behaviors for SSO and enterprise roles are available too.

-- Kevin Hrim



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board