1 Reply Latest reply on Jan 18, 2020 10:28 AM by Emad Al-Mousa

    EMCLI Security

    4083391

      Hi,

       

      I intend to use

       

      $OMS_HOME/bin/emcli -login -username=SYSMAN -autologin -trustall

       

      But I need to know how safe, I'd like to know where emcli record this "autologin" , and how it works exactly, is it an encrypted file or a kind of http-cookie ?  I don't find a lot of documentation about the "emcli -autologin" mechanism

       

      Thank you in advance

       

      Dany

        • 1. Re: EMCLI Security
          Emad Al-Mousa

          Hi,

           

          i hope this helps & clarifies the confusion !

           

          the documentation is clear "noautologin" is considered the secure method

           

          https://docs.oracle.com/cd/E24628_01/em.121/e17786/deploy.htm#EMCLI140

          https://docs.oracle.com/cd/E24628_01/em.121/e17786/cli_verb_ref.htm#EMCLI1396

           

           

          2.4.3 Secure Mode for the EM CLI Setup

          The EM CLI client installs certain configuration files and a client-side implementation of verbs on the EM CLI client system. The EM CLI client configuration files contain information such as the OMS URL, Enterprise Manager user names, and Enterprise Manager passwords.

           

           

          By default, the EM CLI client is set up in secure mode. In this mode, EM CLI does not store any Enterprise Manager or SSO passwords on the EM CLI client disk. The command emcli setup -noautologin sets up the EM CLI client in secure mode. By default, -noautologin is true. Therefore, you do not need to specify it if you want to set up the EM CLI client in secure mode. In secure mode, if the EM CLI session times out due to inactivity, explicit login (using the login verb) is required before invoking any verb.

           

           

          If you want to set up EM CLI in the insecure auto-login mode, you can use the emcli setup -autologin command. In this mode, if an EM CLI session times out due to inactivity, EM CLI automatically re-establishes the session when a verb needs to execute. However, if you explicitly logged out by running emcli logout, you need to explicitly log in again using emcli login.

           

           

          Regarding trustall

           

          Automatically accepts any server certificate from the OMS, which results in lower security. Also indicates that the setup directory is local and trusted. Either pass this option or the set environment variable EMCLI_CERT_LOC, which has the certificate keystore file. If the file is not present, the system stores the certificate at this location.