Cloud Control authentication with Active directory oem12c

Cloud Control authentication with Active directory

If your company is preferring Microsoft Active Directory as a source of truth (or at least you´re trying to) you should be using the AD as source for the user accounts in Cloud Control. The advantages are obvious: Control the validity of accounts in one single place, no different login’s and passwords for the user etc.

Keep in mind that access control is made up of 2 parts:

  • Authentication
    Validate if the person trying to login is who he claims to be (i.e. by password check)
  • Autorization
    Give access to whatever the authenticated user is allowed to (i.e. by roles)

In this article I will only focus on the authentication part. Setting this up is not too complicated, but making a mistake might turn your Cloud Control instance inaccessible. I’ll try to give a step-by-step walk-through to setup Microsoft AD as authentication provider for Cloud control.

To start we have to gather some information regarding the LDAP configuration:

  • Hostname of your LDAP server
  • Port number on which LDAP server is listening (default 389)
  • Distinguished Name (DN) record of the AD-account to be used for validation, this account should me a member of the AD-administrators group. For this purpose I created the user emgcadmin in the default users folder: CN=emgcadmin,CN=Users,DC=MyCompany,DC=local
  • Password for the account mentioned above
  • Distinguished Name (DN) record of the users base in you Active directory (i.e. OU=Users,OU=ITdepartment,OU=MyHeadOffice,DC=MyCompany,DC=local)
  • Distinguished Name (DN) record of the security groups base in you Active directory (i.e. OU=CloudControl,OU=Global,OU=Security Groups,OU=MyHeadOffice,DC=MyCompany,DC=local)
  • Password for sysman user
  • Password for weblogic administrator

The steps to perform:

  1. Perform a backup of your current setup to be able to go back to a stable situation if something fails
  2. Login into the WebLogic console as administrator (weblogic)
  3. In the “Domain Structure” click on “Security Realms”, click on “myrealm” and select the tab “Providers”
  4. Click the <Lock & Edit> button on the left to be able to make changes
  5. Click on the <New> button to create a new authentication provider
  6. Fill in the name (i.e. EM_AD_Provider), select the type “ActiveDirectoryAuthenticator” and click <OK>
  7. Click on the <Reorder> button, move the newly created to the top of the list and click <OK>
  8. Click on the newly created provider, switch the “Control Flag” from “Optional” to “Sufficient” and click <Save>
  9. Select the tab “Provider Specific”
    Connection section
    Host The hostname of your LDAP server
    Port The port number your LDAP server is listening
    Principal The DN record of the AD-admin account
    (i.e. CN=emgcadmin,CN=Users,DC=MyCompany,DC=local)
    Credential The password of the account above
    Confirm credential Repeat the password
    Users section
    User Base DN The DN record of the user base in your AD
    Users From Name filter (&(sAMAccountName=%u)(objectclass=user))
    User Name attribute sAMAcocuntName
    Groups section
    Group Base DN The DN record of security groups in your AD
    General section
    Propagate Cause for Login Exception Should be enabled
  10. Click the <Save> button
  11. Click on the <Activate Changes> button on the left of the screen. You should receive a message that the changes have been activated, but a restart is required to take effect
  12. Login to the host as oracle user and navigate to ../em/oms/bin directory
  13. Stop the Cloud Control instance
    [oracle@oem12 bin]$ ./emctl stop oms -all
    Oracle Enterprise Manager Cloud Control 12c Release 4
    Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
    Stopping WebTier...
    WebTier Successfully Stopped
    Stopping Oracle Management Server...
    Oracle Management Server Successfully Stopped
    Oracle Management Server is Down
    Stopping BI Publisher Server...
    BI Publisher Server Successfully Stopped
    AdminServer Successfully Stopped
    BI Publisher Server is Down
    [oracle@oem12 bin]$
    
  14. Set the autoprovisioning property to enable automatic account creation for new users.
    Note: In 12cR2 the property “em.security.auth.autoprovisioning” has changed to “oracle.sysman.core.security.auth.autoprovisioning”

    [oracle@oem12 bin]$ ./emctl set property -name "oracle.sysman.core.security.auth.autoprovisioning" -value "true"
    Oracle Enterprise Manager Cloud Control 12c Release 4
    Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
    SYSMAN password:
    Property oracle.sysman.core.security.auth.autoprovisioning for oms oem12.jeroen.local:4889_Management_Service has been set to value true
    OMS restart is not required to reflect the new property value
    [oracle@oem12 bin]$
    
  15. Restart the OMS
    [oracle@oem12 bin]$ ./emctl start oms
    Oracle Enterprise Manager Cloud Control 12c Release 4
    Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
    Starting Oracle Management Server...
    Starting WebTier...
    WebTier Successfully Started
    Oracle Management Server Successfully Started
    Oracle Management Server is Up
    Starting BI Publisher Server ...
    BI Publisher Server Successfully Started
    BI Publisher Server is Up
    [oracle@oem12 bin]$
    
  16. Login into the WebLogic console as administrator (weblogic)
  17. In the “Domain Structure” click on “Security Realms”, click on “myrealm” and select the tab “Users and Groups”
  18. In the tab “Users” you should now find all the AD-users who will be able to login into Cloud Control. This does not mean that they can see (or do) anything within the application. The account will be created as soon the login into Cloud control for the first time without any right, roles and/or privileges.

If the users are visible in the WebLogic console you should be able to login with a valid AD account and the corresponding password. If the account does not exist in Cloud Control it will be created without any access.

After the first login an administrator should grant the appropriate roles, rights and/or privileges (Setup > Security > Administrators).

What’s next?
And now you’re probably thinking “how about the autorization part“, and “I don’t want all user to be able to login into Cloud control, even when they can’t do anything“. This can be achieved using External Roles. Yep, it is possible to maintain also the roles from your AD, but that is beyond the scope of this post. More about that in my next article.

Sources:

  1. Enterprise Manager Cloud Control Documentation
  2. How to demonstration
    Keep in mind that in 12cR2 the property “em.security.auth.autoprovisioning” has changed to “oracle.sysman.core.security.auth.autoprovisioning”
  3. Cloud Control Security guide