If your company is preferring Microsoft Active Directory as a source of truth (or at least you´re trying to) you should be using the AD as source for the user accounts in Cloud Control. The advantages are obvious: Control the validity of accounts in one single place, no different login’s and passwords for the user etc.
Keep in mind that access control is made up of 2 parts:
- Authentication
Validate if the person trying to login is who he claims to be (i.e. by password check) - Autorization
Give access to whatever the authenticated user is allowed to (i.e. by roles)
In this article I will only focus on the authentication part. Setting this up is not too complicated, but making a mistake might turn your Cloud Control instance inaccessible. I’ll try to give a step-by-step walk-through to setup Microsoft AD as authentication provider for Cloud control.
To start we have to gather some information regarding the LDAP configuration:
- Hostname of your LDAP server
- Port number on which LDAP server is listening (default 389)
- Distinguished Name (DN) record of the AD-account to be used for validation, this account should me a member of the AD-administrators group. For this purpose I created the user emgcadmin in the default users folder: CN=emgcadmin,CN=Users,DC=MyCompany,DC=local
- Password for the account mentioned above
- Distinguished Name (DN) record of the users base in you Active directory (i.e. OU=Users,OU=ITdepartment,OU=MyHeadOffice,DC=MyCompany,DC=local)
- Distinguished Name (DN) record of the security groups base in you Active directory (i.e. OU=CloudControl,OU=Global,OU=Security Groups,OU=MyHeadOffice,DC=MyCompany,DC=local)
- Password for sysman user
- Password for weblogic administrator
The steps to perform:
- Perform a backup of your current setup to be able to go back to a stable situation if something fails
- Login into the WebLogic console as administrator (weblogic)
- In the “Domain Structure” click on “Security Realms”, click on “myrealm” and select the tab “Providers”
- Click the <Lock & Edit> button on the left to be able to make changes
- Click on the <New> button to create a new authentication provider
- Fill in the name (i.e. EM_AD_Provider), select the type “ActiveDirectoryAuthenticator” and click <OK>
- Click on the <Reorder> button, move the newly created to the top of the list and click <OK>
- Click on the newly created provider, switch the “Control Flag” from “Optional” to “Sufficient” and click <Save>
- Select the tab “Provider Specific”
Connection section Host The hostname of your LDAP server Port The port number your LDAP server is listening Principal The DN record of the AD-admin account
(i.e. CN=emgcadmin,CN=Users,DC=MyCompany,DC=local)Credential The password of the account above Confirm credential Repeat the password Users section User Base DN The DN record of the user base in your AD Users From Name filter (&(sAMAccountName=%u)(objectclass=user)) User Name attribute sAMAcocuntName Groups section Group Base DN The DN record of security groups in your AD General section Propagate Cause for Login Exception Should be enabled - Click the <Save> button
- Click on the <Activate Changes> button on the left of the screen. You should receive a message that the changes have been activated, but a restart is required to take effect
- Login to the host as oracle user and navigate to ../em/oms/bin directory
- Stop the Cloud Control instance
[oracle@oem12 bin]$ ./emctl stop oms -all Oracle Enterprise Manager Cloud Control 12c Release 4 Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved. Stopping WebTier... WebTier Successfully Stopped Stopping Oracle Management Server... Oracle Management Server Successfully Stopped Oracle Management Server is Down Stopping BI Publisher Server... BI Publisher Server Successfully Stopped AdminServer Successfully Stopped BI Publisher Server is Down [oracle@oem12 bin]$
- Set the autoprovisioning property to enable automatic account creation for new users.
Note: In 12cR2 the property “em.security.auth.autoprovisioning” has changed to “oracle.sysman.core.security.auth.autoprovisioning”[oracle@oem12 bin]$ ./emctl set property -name "oracle.sysman.core.security.auth.autoprovisioning" -value "true" Oracle Enterprise Manager Cloud Control 12c Release 4 Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved. SYSMAN password: Property oracle.sysman.core.security.auth.autoprovisioning for oms oem12.jeroen.local:4889_Management_Service has been set to value true OMS restart is not required to reflect the new property value [oracle@oem12 bin]$
- Restart the OMS
[oracle@oem12 bin]$ ./emctl start oms Oracle Enterprise Manager Cloud Control 12c Release 4 Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved. Starting Oracle Management Server... Starting WebTier... WebTier Successfully Started Oracle Management Server Successfully Started Oracle Management Server is Up Starting BI Publisher Server ... BI Publisher Server Successfully Started BI Publisher Server is Up [oracle@oem12 bin]$
- Login into the WebLogic console as administrator (weblogic)
- In the “Domain Structure” click on “Security Realms”, click on “myrealm” and select the tab “Users and Groups”
- In the tab “Users” you should now find all the AD-users who will be able to login into Cloud Control. This does not mean that they can see (or do) anything within the application. The account will be created as soon the login into Cloud control for the first time without any right, roles and/or privileges.
If the users are visible in the WebLogic console you should be able to login with a valid AD account and the corresponding password. If the account does not exist in Cloud Control it will be created without any access.
After the first login an administrator should grant the appropriate roles, rights and/or privileges (Setup > Security > Administrators).
What’s next?
And now you’re probably thinking “how about the autorization part“, and “I don’t want all user to be able to login into Cloud control, even when they can’t do anything“. This can be achieved using External Roles. Yep, it is possible to maintain also the roles from your AD, but that is beyond the scope of this post. More about that in my next article.
Sources:
- Enterprise Manager Cloud Control Documentation
- How to demonstration
Keep in mind that in 12cR2 the property “em.security.auth.autoprovisioning” has changed to “oracle.sysman.core.security.auth.autoprovisioning” - Cloud Control Security guide