1. Oracle Enterprise Manager Security Best Practices Huaqing Wang, Senior Product Manager, Oracle Ravi Pinnamaneni, Consulting Member of Technical Staff,

1

<Insert Picture Here>

Oracle Enterprise Manager Security Best Practices

Huaqing Wang, Senior Product Manager, OracleRavi Pinnamaneni, Consulting Member of Technical Staff, Oracle

3

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4


Agenda

• Oracle Enterprise Manager Overview• Security Best Practices• Managing Enterprise Manager Security

using Enterprise Manager • Q & A• Appendix

5


Agenda



6© 2010 Oracle Corporation 6

Business-Driven IT Management

7

Enterprise Manager Security CertificationCommon Criteria EAL 4+

• Enterprise Manager security feature development process rigorously vetted and certified by independent government agency

• Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC-0621-2010 on Aug., 27, 2010

• Comprehensive evaluation process took 2+ years to complete

• EAL4+ is highest mutually recognized level among governments worldwide

8

Oracle Enterprise Manager Architecture Overview

• Oracle Management Agent (Management Agent)– An integral software component deployed on each monitored host– Responsible for monitoring and managing the hosts and all the targets running on those

hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS)

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent

Grid Control Console

9


• Oracle Management Service (OMS)– J2EE Web application that orchestrates with Oracle Management Agents to discover

targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis

– Renders the user interface for the Grid Control Console

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


10


• Oracle Management Repository (Management Repository)– An Oracle database where all the information (metrics, configurations, etc.)

collected by the Oracle Management Agents gets stored

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agents


11


• Grid Control Console– A web user interface from where you can monitor and administer your entire

computing environment

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


12


Agenda



13

Enterprise Security Considerations and Threats

Security Consideration Security Threat

Data confidentiality and integrity Man-in-the-Middle attacks

Data availability Denial-of-Service attacks

Authentication Password crack attacks

Segregation of duties Exploitation of authorization

Non-repudiation Repudiation

14








• Data confidentiality and integrity– Not disclosed to any entities unless they are authorized to access– Not changed, destroyed, or lost in unauthorized or accidental manner

• Man-in-the-Middle attacks– Interrupts, intercepts, modifies or fabricates data in transit

Interrupted/Stolen

Management Agent OMS

15








• Data Availability– Available and usable upon demand by an authorized entity

• Denial-of-Service attacks– Makes Management Repository or OMS unavailable to intended users by

flooding them with more requests than they can handle–

Management Agent

OMS

Hacker

16








• Authentication– The process to verify the identity, usually username and password, claimed

by a user

• Password crack attacks– Obtains password from an authentication exchange, then uses the

password to log on to Enterprise Manager Grid Control• For examples: guess, dictionary and brute force attacks

17








• Segregation of duties– No person should be given responsibility for more than one related

function

• Exploitation of authorization– Accesses resources (targets, jobs, templates and so on) that he/she

should not be authorized to

18








• Non-repudiation– Network security: Neither sender nor recipient can later deny having

processed the information– Web Application security: No one can later deny the actions he/she

has taken in the application

• Repudiation– Refuses authoring of something that happened

19

Oracle Enterprise Manager Security Overview

1. Enterprise Manager Infrastructure Security

2. Authentication, Authorization and Audit – The Three A’s

3. Security of target authentications

20

Enterprise Manager Infrastructure Security

• Enterprise Manager Infrastructure Security– Securing individual Enterprise Manager

components– Securing communication

Oracle Management

Service

Oracle Management

Repository

Management

Agent


Database Application Host

21

Infrastructure Security Best Practices Securing Enterprise Manager Components

• Harden the machines on which OMS and Management Repository reside– Remove unsecure services such as FTP, telnet,

rlogin and so on– Close UDP and TCP ports for services that are

disabled

• Apply all security patches– Always apply latest relevant CPUs for OS, Oracle

Database, Oracle Weblogic Server, OMS and Agents

• Use privilege delegation tool such as sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes– Disable owner account , “oracle”, direct log in to

hosts– Allow normal users to perform administrative

tasks without disclosing password of privileged user

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


22

Infrastructure Security Best PracticesOracle Management Repository

• Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist)– Restrict operation system access

• Limiting the number of OS users with access on Oracle Database host

• Restricting the ability for these users to modify the default file/directory permissions of Oracle Home

– Restrict network access to the Repository• Check Network IP Address to allow the access to

Oracle Database only from authorized nodes– Configure $TNS_ADMIN/protocol.ora file

• tcp.validnode_checking=yes• tcp.included_nodes={list of IP

addresses}– If Repository is the only database on the host, we

can limit the nodes to OMS nodes only

– Please refer to the link for more information http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


23

Infrastructure Security Best PracticesOracle Management Service

• Follow best practices for securing Oracle Weblogic Server (Securing the Production Environment for Oracle Weblogic Server)– Protect WebLogic Server Home directory

especially domain directory which contains configuration files, security files, log files and other Java EE resources for the Weblogic domain.• Grant only one OS user who runs Weblogic Server

the access privilege to the directory

– Create no fewer than two user accounts with system administrator privileges• To ensure one user maintains account access in

case another user becomes locked out by a dictionary/brute force attack

– Please refer to http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf for more information

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


24

Infrastructure Security Best PracticesOracle Management Agent

• Deploy agent via pushing agents from OMS– Secure Shell (SSH) protocol is used

in this approach, which ensures the confidentiality and integrity of agent installation

• Use complex one-time registration passwords with reasonable expiry date– Registration password combined with

random keys generated by OMS and agent is used to produce agent key to register and secure the agent

– Protect against the possibility of unauthorized agents accessing OMS

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


25


• Enterprise Manager Infrastructure Security– Securing individual Enterprise Manager

components– Securing communication

Oracle Management

Service

Oracle Management

Repository

Management

Agent



26

Infrastructure Security Best PracticesSecuring Communication Overview

• Various communications within Enterprise Manager– Between OMS and agent (Bidirectional)– Between browsers and OMS– Between OMS and Management

Repository– Between OMS and targets

• Communications in firewall environments

Oracle Management

Service

Oracle Management

Repository

Management

Agent



Firewall

Firewall

Firewall

27

Infrastructure Security Best PracticesSecuring Communication Between OMS and Agents

• Securing communication between OMS and Agents (Bidirectional)– It is secure locked out-of-box (10.2.0.5 and

after), which means the communication is only over HTTPS

– Security aspects of communication over HTTPS• What secure protocol is used

– Secure Socket Layer (SSL) v3 – Transportation Layer Security (TLS) v1

• What strong cipher suites are used• Is certificate from well-known Certificate

Authority (CA)

Oracle Management

Service

Oracle Management

Repository

Management

Agent



28

Infrastructure Security Best PracticesSecuring communication

• Enable TLS v1 only for communication between OMS and Management Agents– OMS:

• emctl stop oms • emctl secure oms -protocol TLSv1 • Append -

Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh.

• emctl start oms

– Agent: • Update

$Agent_Home/sysman/config/emd.properties– allowTLSonly=true

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


TLS v1

29

Infrastructure Security Best PracticesSecuring Communication Overview

• Various communications within Enterprise Manager– Between OMS and agent (Bidirectional)– Between browsers and OMS– Between OMS and Management

Repository– Between OMS and targets

• Communications in firewall environments

Oracle Management

Service

Oracle Management

Repository

Management

Agent



Firewall

Firewall

Firewall

30

Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls

• Firewalls are commonplace in most mature and modern IT infrastructures

• Two areas where Enterprise Manager and firewalls will interact– Navigate between Enterprise Manager

components separated by firewalls– Communicate with managed targets that

are behind firewalls

• Enterprise Manager is designed to cope with both cases but….– …this is one of the least understood

areas when deploying Enterprise Manager in a secure environment

Oracle Management

Service

Oracle Management

Repository

Management

Agent



Firewall

Firewall

Firewall

31

Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls

• Best Practices:– Get firewalls into first design of the solution

• Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment, e.g., – HTTP/HTTPS for communication between

OMS and Agents– SQL*Net for the communication between

OMS and Oracle Database targets– ICPM and UDP for the communication

between beacons and managed targets• Consider placement of OMSs when laying down

your Enterprise Manager topology

– Work closely with the network team on design of groups and Access Control List (ACL) for groups of targets

Oracle Management

Service

Oracle Management

Repository

Management

Agent



Firewall

Firewall

Firewall

32

Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls

• Lots of different permutations with Enterprise Manager when dealing with Firewalls….– Configuring agents on a host

protected by a firewall– Configuring OMS on a host protected

by a firewall– Firewalls between OMS and OMR– Firewall between your browser and

Grid Grid Control– Firewalls between the Grid Control

and a managed database target– Firewalls used with multiple OMS– ……

• Let’s take a tour through some of these

Oracle Management

Service

Oracle Management

Repository

Management

Agent



Firewall

Firewall

Firewall

33


• Configure Oracle Management Agent on a host protected by a firewall– Configure Oracle Management Agent to use

proxy server for its upload to OMS• Update the following parameters in file

$AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domainREPOSITORY_PROXYPORT =port

• If authentication is required, edit the following parameters as wellREPOSITORY_PROXYREALM=realmREPOSITORY_PROXYUSER=proxyuserREPOSITORY_PROXYPWD=proxypassword

– Configure firewall to allow inbound communication from OMS to Agent• Port 3872 (default)

• Port range1830-1849 (non-default)

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


Firewall

Oracle Management

Agent

34


• Configure Oracle Management Service on a host protected by a firewall– Configure OMS to use proxy server for its

communication to agents outside the firewall• Update the following OMS properties via emctl

set property command:– emctl set property –name <property> -

value <value>PROXYHOST=proxyhostname.domainPROXYPORT =port

• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor = hostname1,hostname2

– Configure firewall to allow inbound communication from Agents to OMS• Default HTTP/HTTPS Ports: 4889/1159• Non-default port range 4890-4897/4898-4908

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


Firewall

35





36

Authentication, Authorization and Auditing The Three A’s

• Authentication– Determines whether someone is in fact

who it is declared to be while accessing Enterprise Manager Grid Control

• Authorization– Provides access control to secure

resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc.

• Audit– Keeps track of the actions happened

within Enterprise Manager to prevent repudiation

Oracle Enterprise Manager

Authorization

Audit

Jobs, TemplatesReports, etc

Databases Applications Hosts

Application Servers

View Reports

Blackout Targets

Submit Jobs

Manage Metrics

Manage Alerts

……

Authentication

37









Authorization

Audit



Application Servers

View Reports

Blackout Targets

Submit Jobs

Manage Metrics

Manage Alerts

……

Authentication

38

The Three A’s Best PracticesAuthentication

• Repository-based authentication (Default)– Use password profile to enforce the

password control such as password complexity, failed login attempt, password reuse max, password life time, etc.

• Leverage Grid Control user authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS) – Simplify the identity management

across the enterprise– Both SSO and EUS enable your users

to authenticate to Grid Control by using their credentials stored in LDAP server


Oracle Management

Repository(OMR)

OSSO

LDAP Server

EUSDefault

39

The Three A’s Best PracticesAuthentication

• Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository

UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’-1’WHERE user_name=’SYSMAN’

• If you want to enable SYSMAN logging into Grid Control Console later on: UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’1’WHERE user_name=’SYSMAN’

• Change password for both SYSMAN and MGMT_VIEW on a regular basis – Prevent password crack attacks– emctl config oms -change_repos_pwd -change_in_db – emctl config oms –change_view_user_pwd

40









Authorization

Audit



Application Servers

View Reports

Blackout Targets

Submit Jobs

Manage Metrics

Manage Alerts

……

Authentication

41

The Three A’s Best Practices Authorization Overview

• Two-step authorization process enables fine-grained access and segregation of duties:– Enterprise Manager authorization

• Controls the access to the resources and functionalities within Enterprise Manager– Manage target metrics thresholds– Set alert notification rules– Enable/disable Enterprise Manager packs

– Target authorization• Controls the access to the resources and

functionalities within the target– CREATE new TABLE– Back-up database – Tune SQL

• Enforced by target security model• Depends on the credential used to connect to the

target


Enterprise Manager Authorization



Application Servers

View Reports

Blackout Targets

Submit Jobs

Manage Metrics

Manage Alerts

……


Target

Target Target

Target

Target

Connect to target

Target Authorization

42

The Three A’s Best Practices Authorization Overview

• Example:– Create new user, SQLTuningDBA, who is only

responsible for tuning 2 of 100 managed database targets• Enterprise Manager authorization

– Create EM user SQLTuningDBA– Grant VIEW Target Privilege on the 2 DB targets of

interest• Target authorization

– Target credentials used should have the following database privileges• select_any_catalog• administer sql tuning set• execute on dbms_workload_repository


Connect as database user A

Database 1 Database 2

Databases

SQLTuning DBA

Connect as database user B

43

The Three A’s Best Practices Enterprise Manager Authorization Overview

What type of administrator

should the new user be?

• Normal Enterprise Manager Administrator– Has NO access to

anything unless granted privileges

• Super Administrator– Has FULL privileges on

all targets and the ability to create Super Administrators

44




What System Privilege(s) should the user have?

• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able

to VIEW any targets– Should the user be able

to ADD new targets?

• Normal Enterprise Manager Administrator– Has NO access to anything unless granted

privileges• Super Administrator

– Has FULL privileges on all targets and the ability to create Super Administrators

45


What type of administrator should the new user be?


• Should the user only be able to monitor the databases of his own department?




• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able to VIEW any

targets– Should the user be able to ADD new

targets?

What target should the user be able to access?

46





• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able

to blackout target 1, 2 and 3?

– Should the user be able to change metric threshold setting for target 4, 5 and 6?

• Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1






targets?

What targets should the

user be able to access?


What Target Privilege(s) should the user have

47





• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?

• Privilege Propagating Group – Privileges granted on the group automatically granted on its members






targets?





• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able to blackout target

1, 2 and 3?– Should the user be able to change metric

threshold setting for target 4, 5 and 6?• Whether the user is able to tune performance of

target 1 depends on the credential he uses to connect to target 1

Privilege Propagating Group

48





• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?

• Privilege Propagating Group – Privileges granted on the group automatically granted on its members






targets?





• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able to blackout target

1, 2 and 3?– Should the user be able to change metric

threshold setting for target 4, 5 and 6?• Whether the user is able to tune performance of

target 1 depends on the credential he uses to connect to target 1


Role

• If there are a set of users sharing the same responsibilities, do we have to grant all the individual privileges one by one to these users?

• Role -- Set of privileges

49

The Three A’s Best Practices Enterprise Manager Authorization

• Reduce the number of Super Administrators– Super Administrators have FULL privilege on all

targets and could create additional Super Administrators

• Grant only the minimum set of privileges– Follow the principle of least privilege to grant only

the minimum set of privileges to the users to fulfill his responsibility

• Achieve segregation of duties and simplify authorization management– Grant roles instead of individual privileges to users– Use roles along with Privilege Propagating groups

• Monitor privilege/role operations through Enterprise Manager Auditing


Authorization



Application Servers

50









Authorization

Audit



Application Servers

View Reports

Blackout Targets

Submit Jobs

Manage Metrics

Manage Alerts

……

Authentication

51

The Three A’s Best PracticesAudit

• Extended actions audited by Enterprise Manager – 61 actions (33 new actions in 11g Release 1)– For example, User login/logoff, and privilege

granting/revoking, changes on monitoring template, changes on user defined policies, and database target start/stop/restart

• Built-in externalization service to purge audit data from Repository and export to external file system automatically

emcli update_audit_setting -file_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data_retention_period=<period in days>

• GUI interface to view and search audit data– Setup ->Management Service and Repository

-> Audit Data


Authorization

Audit



Application Servers

Authentication

52

TheThree A’s Best PracticesAudit

• Enable Audit for EM Operationsemcli enable_audit

• If you only care about a subset of actions, you can just enable the auditing for them

emcli update_audit_settings –audit_switch=”ENABLE” –operations_to_enable=”LOGIN;LOGOUT”

• Configure the externalization service to purge the audit data from the Repository to an external file system on a regular basis.

emcli update_audit_setting

-directory="EM_DIR"

-file_prefix="emgc_audit"

-file_size="1000000"

-data_retention_period="60“


Authorization

Audit



Application Servers

Authentication

53





54

Database

Solaris Linux

Applications

Windows

Application Server

Agent

Agent

Agent

Targets

Enterprise Manager

Grid Control

Oracle Management

RepositoryOracle Management

Service

Enterprise Manager

Users

Target

Authentication

Credentials are stored

encrypted

• Credentials– Credentials are typically username and

password required to access targets such as databases, hosts, etc.

– Stored encrypted in Repository or Agent

• Usages of credentials:– Collect metrics in the background as well as

in real-time– Perform jobs like Backup, Patching, Cloning,

etc. – Real-time target administration like start,

stop,etc.– Connect to My Oracle Support for patches

• Preferred credentials – per user basis– Default credential – per target type– Target credential – per target– Target credential overrides default

credential

Security of Target AuthenticationCredential System

55

Target Authentication Best PracticesCredential System

• Do not set preferred credentials for group/common accounts, e.g., SYSMAN. The following SQL statement gives you the result of preferred credential setting:

SELECT

t.target_name,tc.user_name,tc.credential_set_nameFROM MGMT_TARGET_CREDENTIALS tc, MGMT_TARGETS tWHERE tc.target_guid=t.target_guid

• Keep track of the operations on credential by enabling auditing the corresponding actions

• Use emcli verbs to synchronize credentials between Enterprise Manager and its database targets

emcli update_db_passworduser_name=“DBUserName”change_at_target=yes

Database

Management Agent

Oracle Management

Repository

Oracle Management

Service

Preferred Credentials

UDM Collection Credentials

Job Credentials

Monitoring Credentials

Enterprise Manager

Grid Control

Database User

56

Target Authentication Best PracticesHost Target Authentication

• Configure Pluggable Authentication Module(PAM) to take advantage of rich authentication approaches to Host access– Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity

storage and management– WebIV 422073.1: How to configure Agent with PAM to support LDAP authentication

• Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager– Enable users to perform administrative tasks without providing credentials for

functional accounts

57

Threats vs. Best Practices

Security Threats Best Practices

Man-in-the-Middle Attacks Securing the communicationEnable TLS v1 protocolConfigure firewalls

……

Denial-of-Service Attacks Secure individual Enterprise Manager components……

Exploitation of Authorization Principle of least privilegesAuditing the authorization actions……

Password crack Attacks Change password on a regular basisEnable password profile to enforce password control……

Repudiation Enable auditing for Grid Control actions

58


Agenda



59

Oracle Enterprise ManagerManage its Own Security

• Monitor its own security compliance– Security policies

• Define the desired behaviors of systems in terms of security

– Security at a glance• Provides an overview of the security health

of the enterprise for all targets or specific groups

– Notification of violations• Email, Page, SNMP Traps, etc.

• Fix its own security violations– Corrective actions– CPU Advisory– Patching automation

• Connects to MOS to discover and pull in new patches

• Rapidly deploys security patches



Monitor EM security

compliance

Fix EM security

violations

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent

60

Useful Whitepapers

• Oracle Database Security Best Practices– http://www.oracle.com/technetwork/database/security/twp-

security-checklist-database-1-132870.pdf

• Oracle Weblogic Server Security Best Practices– http://download.oracle.com/docs/cd/E12839_01/web.1111/

e13705.pdf

• Oracle Enterprise Manager Security Deployment Best Practices– http://www.oracle.com/technetwork/oem/grid-control/twp-

security-best-practices-133704.pdf

Additional Oracle Enterprise Manager Sessions

Thursday, Sept. 23 Location

• 3:00 p.m - The X-Files: Managing the Oracle Exadata and Highly Available Oracle Databases

• Moscone S. Room 102

• 3:00 p.m. - Monitoring and Diagnosing Oracle RAC Performance with Oracle Enterprise Manager

• Moscone S. Room 310

Oracle Enterprise Manager 11gResource Center

Access Videos, Webcasts, White Papers, and More

Oracle.com/enterprisemanager11g

63

64

AQ&

65


Appendix

66

Infrastructure Security Best PracticesOracle Management Repository

• Secure the Oracle Listener to defend Denial-of-Service (DoS) attacks– Enable Connection Rate Limiter feature

• Configure $TNS_ADMIN/admin/listener.ora– Connection_rate_Listenername = n– Rate_limit in ADDRESS section of listener

endpoint configuration• Listenername=(ADDRESS=

(PROTOCOL=tcp)(HOST=Server1)(PORT=1521)(RATE_LIMIT=yes))

– Please refer to the link for more information http://www.oracle.com/technetwork/database/enterprise-edition/oraclenetservices-connectionratelim-133050.pdf

Oracle Management

Service

Oracle Management

Repository

Oracle Management

Agent


67

Infrastructure Security Best PracticesSecure communication

• Secure lock OMS – Enforces the communication with OMS only

over SSL/TLS– By default OMS is secure locked(10.2.0.5 and

after)– If your instance is upgraded from previous

version that is not secure locked, please issue the following command

• emctl secure lock And the following command can tell you if your OMS is secure locked or not

• emctl status oms –detailsHTTP Console Port : 7802HTTPS Console Port : 5416HTTP Upload Port : 7654HTTPS Upload Port : 4473Agent Upload is locked.OMS Console is locked.Active CA ID: 1

Oracle Management

Service

Oracle Management

Repository

Management

Agent



68


• Secure the agent– emctl status agent –secure

…Agent is secure at HTTPS Port 1838OMS is secure on HTTPS Port 4473

– emctl secure agent

Oracle Management

Service

Oracle Management

Repository

Management

Agent



69


• Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)– ASO is a DB option that combines network

encryption, database encryption and strong authentication together to help customers address privacy and compliance requirements

– Ensures that the data between OMS and Repository is secure from both confidentiality and integrity standpoints

Oracle Management

Service

Oracle Management

Repository

Management

Agent



70


• Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)– Steps:

• Set the following OMS configuration parameters with the appropriate values by issuing the following command:– emctl set property –name <property_name> -

value <value>oracle.sysman.emRep.dbConn.enableEncryp

tion=trueoracle.net.encryption_client=REQUESTEDoracle.net.encryption_types_client={DES

40C}oracle.net.crypto_checksum_client=REQUE

STEDoracle.net.crypto_checksum_types_client

={MD5}

• Add the following to Repository’s $TNS_ADMIN/sqlnet.ora– SQLNET.ENCRYPTION_SERVER = REQUESTED

Oracle Management

Service

Oracle Management

Repository

Management

Agent



71


• Enable the strong cipher suites for the communication between Enterprise Manager components– Agent

• Edit $AGENT_HOME/sysman/config/emd.properties to configure the strong cipher suites

SSLCipherSuites= SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SHA

– OMS: • Update the following parameter in

$INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd_em.conf and ssl.conf filesSSLCipherSuite SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SHA

Oracle Management

Service

Oracle Management

Repository

Management

Agent



72


• Use a certificate from well-known Certificate Authority (CA) for the communication– Trusted certificates – Different expiry and key size that meet

special security rules– Steps:

• Create a wallet for each OMS in the grid.• Write certificates of all the Certificate

Authorities in the certificate chain into file trusted_certs.txt.

• Download file trusted_certs.txt file to agents host machines

• Restart Agent after running the add_trust_cert command.

emctl secure add_trust_cert -trust_certs_loc <location of trusted_certs.txt file>

• Secure OMS and restart it.

emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt>

Oracle Management

Service

Oracle Management

Repository

Management

Agent



73


• Firewall between browsers and Grid Control Console– Configure the firewall to allow Grid

Control Console to receive HTTP traffic over 7778• Or 7777 if Web cache is used in OMS

home

– If Grid Control Console is secured as mentioned earlier, configure firewall to allow Grid Control Console to receive HTTPS traffic over port 4443

Browser

Oracle Management

Service(OMS)Web-based

Grid Control

77777778

4443

Firewall

74


• Configure firewall between OMS and Repository to allow Oracle Net traffic flow– As mentioned earlier, to secure the

communication between OMS and Repository, we need to enable Oracle ASO for Repository

– ASO supports the following two types of firewalls • Application proxy-based firewalls, such as

Network Associates Gauntlet, or Axent Raptor

• Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall

– Some vendors’ firewalls can be configured to recognize Oracle*Net traffic with their Oracle Net Proxy Traffic Kits• Otherwise, define an ACL that allows traffic

flow between the subnet hosting the OMS and the subnet hosting the repository

Oracle Management

Service(OMS)

Management

Repository

Firewall

SQL*Net

75

• Privilege Propagating Group– A special group that the privileges granted on will be propagated to its

nested and direct members• For a normal group, no matter what privileges (FULL, OPERATOR

or VIEW) on the group is granted to you, you’ll only get VIEW privileges on the group members

– System privilege “Create Privilege Propagating Group” is required to create this type of group

– “Full privilege” on the target is required to add the target as a member of a group

– emcli verb to convert the normal group and privilege propagating group

• emcli modify_group –privilege_propagating =true/false

• Privilege Propagating System, Redundancy Group, Aggregate Services


76


• Configure OMS to use proxy server for its its connections to My Oracle Support to check CPUs

• Update the following OMS properties via emctl set property command:– emctl set property –name <property> -

value <value>

PROXYHOST=proxyhostname.domainPROXYPORT =port

• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hosts

dontPROXYFor = hostname1,hostname2

Oracle Management

Service(OMS)

Firewall

My Oracle Support

77

Manage Enterprise Manager SecurityMonitor its own Security

• Security Policies– Help you quickly identify systems that are

not in compliance – Out-of-box policies adopted from industry

best practices– Customize policies to meet specific

security need in your organization

• Security at a glance– Helps you to quickly focus on security

issues by showing statistics about security policy violations and noting the critical security patches that have not been applied• Compliance scores and Violation flux

• Notification of violations– E-mail, Page, SNMP Traps, etc.

Security Violations


78

• Corrective actions to remediate violations

• CPU Advisories• Patching automation

– Connects to MOS to discover and pull in new patches

– Rapidly deploys security patches

Manage Enterprise Manager SecurityFix its Own Security Violations

Security Violations


Corrective Actions

1. Oracle Enterprise Manager Security Best Practices Huaqing Wang, Senior Product Manager, Oracle Ravi Pinnamaneni, Consulting Member of Technical Staff,

Documents

oracle slide

management slide

oracle database

oracle corporation

enterprise manager q

oracle ravi pinnamaneni

sole discretion of oracle

appendix slide