- oracle › technetwork › oem › arch-deploy › ... · infrastructure security best practices...

<Insert Picture Here>

Oracle Enterprise Manager Security Best PracticesHuaqing Wang Senior Product Manager OracleHuaqing Wang, Senior Product Manager, OracleRavi Pinnamaneni, Consulting Member of Technical Staff, Oracle

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver anycontract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development release and timing of anyThe development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3

Agenda

<Insert Picture Here>• Oracle Enterprise Manager Overviewg• Security Best Practices• Managing Enterprise Manager Security

i E t i Musing Enterprise Manager • Q & A• Appendix• Appendix

4

Agenda



5

Business-Driven IT Management

6© 2010 Oracle Corporation 6

Enterprise Manager Security CertificationCommon Criteria EAL 4+

• Enterprise Manager security feature development process rigorouslydevelopment process rigorously vetted and certified by independent government agency

• Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC-0621-2010 on A 27 2010Aug., 27, 2010

• Comprehensive evaluation process took 2+ years to completetook 2+ years to complete

• EAL4+ is highest mutually recognized level among governments worldwide

7

level among governments worldwide

Oracle Enterprise Manager Architecture Overview

Oracle ManagementRepository

Oracle Management ServiceService

Grid Control Console

Oracle Management Agent

• Oracle Management Agent (Management Agent)– An integral software component deployed on each monitored host– Responsible for monitoring and managing the hosts and all the targets running on

those hosts communicating the information (metrics configurations etc ) to

8

those hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS)






• Oracle Management Service (OMS)– J2EE Web application that orchestrates with Oracle Management Agents to

discover targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis

9

to Oracle Management Repository for future reference and analysis– Renders the user interface for the Grid Control Console





Oracle Management Agents

• Oracle Management Repository (Management Repository)– An Oracle database where all the information (metrics, configurations, etc.)

collected by the Oracle Management Agents gets stored

10






• Grid Control Console– A web user interface from where you can monitor and administer your entire

computing environment

11

Agenda



12

Enterprise Security Considerations and Threats

Security Consideration Security Threat

Data confidentiality and integrity Man-in-the-Middle attacks

Data availability Denial-of-Service attacks

Authentication Password crack attacks

Segregation of duties Exploitation of authorization

N di ti R di tiNon-repudiation Repudiation

13


Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacksData confidentiality and integrity Man in the Middle attacks



S ti f d ti E l it ti f th i tiSegregation of duties Exploitation of authorization

Non-repudiation Repudiation

Interrupted/Stolen

• Data confidentiality and integrity

Management Agent OMS

ata co de t a ty a d teg ty– Not disclosed to any entities unless they are authorized to access– Not changed, destroyed, or lost in unauthorized or accidental manner

• Man-in-the-Middle attacks

14

– Interrupts, intercepts, modifies or fabricates data in transit


Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacks



Segregation of duties Exploitation of authorizationg g p


OMS

• Data Availability

Management Agent

HackerData Availability

– Available and usable upon demand by an authorized entity• Denial-of-Service attacks

– Makes Management Repository or OMS unavailable to intended users

15

g p yby flooding them with more requests than they can handle

–







• Authentication– The process to verify the identity, usually username and password,

claimed by a user• Password crack attacks

– Obtains password from an authentication exchange, then uses the password to log on to Enterprise Manager Grid Control

• For examples: guess dictionary and brute force attacks

16

• For examples: guess, dictionary and brute force attacks




Authentication Password crack attacksAuthentication Password crack attacks



• Segregation of duties– No person should be given responsibility for more than one related

function• Exploitation of authorization

– Accesses resources (targets, jobs, templates and so on) that he/she should not be authorized to

17




Authentication Password crack attacksAuthentication Password crack attacks



• Non-repudiation– Network security: Neither sender nor recipient can later deny having

processed the information– Web Application security: No one can later deny the actions he/she

has taken in the application• Repudiation

Refuses authoring of something that happened

18

– Refuses authoring of something that happened

Oracle Enterprise Manager Security Overview

1 E i M I f1. Enterprise Manager Infrastructure Security

2. Authentication, Authorization and Audit – The Three A’sAudit – The Three A s

3. Security of target authentications

19

Enterprise Manager Infrastructure Security


• Enterprise Manager Infrastructure SecurityOracle Management

p y

Security– Securing individual Enterprise Manager

components– Securing communication

Oracle Management Service


Management Agent

Database Application Host

20

Infrastructure Security Best PracticesSecuring Enterprise Manager Components

• Harden the machines on which OMS and Management Repository reside

R i h FTP t l tO l M t – Remove unsecure services such as FTP, telnet, rlogin and so on

– Close UDP and TCP ports for services that are disabled


• Apply all security patches– Always apply latest relevant CPUs for OS, Oracle

Database, Oracle Weblogic Server, OMS and Agents


Grid Control Console Agents• Use privilege delegation tool such as

sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes

– Disable owner account , “oracle”, direct log in to hosts

– Allow normal users to perform administrative tasks without disclosing password of privileged


21

tasks without disclosing password of privileged user

Infrastructure Security Best PracticesOracle Management Repository

• Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist)

O l M t)

– Restrict operation system access• Limiting the number of OS users with access on

Oracle Database host• Restricting the ability for these users to modify the


Restricting the ability for these users to modify the default file/directory permissions of Oracle Home

– Restrict network access to the Repository• Check Network IP Address to allow the access to

Oracle Database only from authorized nodes


Grid Control Console Oracle Database only from authorized nodes– Configure $TNS_ADMIN/protocol.ora file

• tcp.validnode_checking=yes

• tcp.included_nodes={list of IP addresses}addresses}

– If Repository is the only database on the host, we can limit the nodes to OMS nodes only

– Please refer to the link for more information http://www oracle com/technetwork/database/securi


22

http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf

Infrastructure Security Best PracticesOracle Management Service

• Follow best practices for securing Oracle Weblogic Server (Securing the Production E i t f O l W bl i S )O l M t Environment for Oracle Weblogic Server)

– Protect WebLogic Server Home directory especially domain directory which contains configuration files, security files, log files and


g y gother Java EE resources for the Weblogic domain.

• Grant only one OS user who runs Weblogic Server the access privilege to the directory



– Create no fewer than two user accounts with system administrator privileges

• To ensure one user maintains account access in case another user becomes locked out by a ydictionary/brute force attack

– Please refer to http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf for more information


23

p

Infrastructure Security Best PracticesOracle Management Agent

• Deploy agent via pushing agents O l M t from OMS

– Secure Shell (SSH) protocol is used in this approach, which ensures the confidentiality and integrity of agent i t ll ti


installation• Use complex one-time registration

passwords with reasonable expiry date



– Registration password combined with random keys generated by OMS and agent is used to produce agent key to register and secure the agent

– Protect against the possibility of unauthorized agents accessing OMSOracle Management

Agent

24



• Enterprise Manager Infrastructure Oracle Management

p y

Security– Securing individual Enterprise Manager

components– Securing communication



Securing communication Management

Agent


25

Infrastructure Security Best PracticesSecuring Communication Overview


• Various communications within Enterprise Manager

– Between OMS and agent (Bidirectional)Oracle Management

p y

Grid Control ConsoleFirewall

g ( )– Between browsers and OMS– Between OMS and Management

RepositoryBetween OMS and targets


Firewall

– Between OMS and targets• Communications in firewall environmentsManagement

AgentFirewall


26

Infrastructure Security Best PracticesSecuring Communication Between OMS and Agents

• Securing communication between OMS ( )


and Agents (Bidirectional)– It is secure locked out-of-box (10.2.0.5 and

after), which means the communication is only over HTTPS

Oracle Management

p y


y– Security aspects of communication over

HTTPS• What secure protocol is used

Secure Socket Layer (SSL) v3


– Secure Socket Layer (SSL) v3 – Transportation Layer Security (TLS) v1

• What strong cipher suites are used• Is certificate from well-known Certificate

Management Agent

Authority (CA)


27

Infrastructure Security Best PracticesSecuring communication

• Enable TLS v1 only for communication O l M t ybetween OMS and Management Agents

– OMS: • emctl stop oms

• emctl secure oms protocol TLSv1


Grid Control Console • emctl secure oms -protocol TLSv1

• Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain Home/bin/startEMServer.sh.


TLS v1• emctl start oms

– Agent: • Update

$Agent Home/sysman/config/emd.properties

TLS v1

$Agent_Home/sysman/config/emd.properties– allowTLSonly=trueOracle Management

Agent

28

Infrastructure Security Best PracticesSecuring Communication Overview


• Various communications within Enterprise Manager

– Between OMS and agent (Bidirectional)Oracle Management

p y


g ( )– Between browsers and OMS– Between OMS and Management

RepositoryBetween OMS and targets


Firewall

– Between OMS and targets• Communications in firewall environmentsManagement

AgentFirewall


29

Infrastructure Security Best PracticesConfiguring Enterprise Manager for FirewallsCo gu g te p se a age o e a s

• Firewalls are commonplace in most mature and modern IT infrastructures

Oracle ManagementRepository mature and modern IT infrastructures

• Two areas where Enterprise Manager and firewalls will interact

Oracle Management

p y


– Navigate between Enterprise Manager components separated by firewalls

– Communicate with managed targets that are behind firewalls


Firewall

• Enterprise Manager is designed to cope with both cases but….

this is one of the least understood

Management Agent

Firewall

– …this is one of the least understood areas when deploying Enterprise Manager in a secure environment


30

Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls

• Best Practices:Oracle Management

Repository Best Practices:– Get firewalls into first design of the solution

• Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment e gOracle Management

p y


Targets in your environment, e.g., – HTTP/HTTPS for communication between

OMS and Agents– SQL*Net for the communication between

OMS and Oracle Database targets


Firewall

g– ICPM and UDP for the communication

between beacons and managed targets• Consider placement of OMSs when laying down

your Enterprise Manager topology

Management Agent

Firewall

– Work closely with the network team on design of groups and Access Control List (ACL) for groups of targetsDatabase Application Host

31

Infrastructure Security Best PracticesConfiguring Enterprise Manager for FirewallsCo gu g te p se a age o e a s

• Lots of different permutations with E t i M h d li


Enterprise Manager when dealing with Firewalls….

– Configuring agents on a host protected by a firewallOracle Management

p y


p y– Configuring OMS on a host protected

by a firewall– Firewalls between OMS and OMR

Fi ll b t b d


Firewall

– Firewall between your browser and Grid Grid Control

– Firewalls between the Grid Control and a managed database target

Management Agent

Firewall

– Firewalls used with multiple OMS– ……

• Let’s take a tour through some of th


32

these


• Configure Oracle Management Agent on a host protected by a firewall

O l M tp y

– Configure Oracle Management Agent to use proxy server for its upload to OMS

• Update the following parameters in file $AGENT HOME/sysman/config/emd.properties


Grid Control Console $AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domain

REPOSITORY_PROXYPORT =port

• If authentication is required, edit the following parameters as well


REPOSITORY_PROXYREALM=realm

REPOSITORY_PROXYUSER=proxyuser

REPOSITORY_PROXYPWD=proxypassword

– Configure firewall to allow inbound i i f OMS A

Firewall

communication from OMS to Agent• Port 3872 (default)• Port range1830-1849 (non-default)



33


• Configure Oracle Management Service on a host protected by a firewall

C fi OMS t f itO l M t – Configure OMS to use proxy server for its communication to agents outside the firewall

• Update the following OMS properties via emctl set property command:

tl t t t l


Grid Control Console– emctl set property –name <property> -value

<value>PROXYHOST=proxyhostname.domain

PROXYPORT =port

• If there are some agents on the hosts that are


Firewall If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor = hostname1,hostname2

– Configure firewall to allow inbound

Firewall

gcommunication from Agents to OMS

• Default HTTP/HTTPS Ports: 4889/1159• Non-default port range 4890-4897/4898-4908


34





35

Authentication, Authorization and Auditing The Three A’s

• AuthenticationOracle Enterprise ManagerAuthentication – Determines whether someone is in fact

who it is declared to be while accessing Enterprise Manager Grid Control

• AuthorizationAudit

Authentication

Authorization– Provides access control to secure

resources and functionalities within Enterprise Manager such as targets, jobs templates reports etc

Authorization

jobs, templates, reports, etc.• Audit

– Keeps track of the actions happened within Enterprise Manager to prevent

Jobs, TemplatesReports, etc

ApplicationServers

repudiation

Databases Applications Hosts

36





Authentication



Authorization




ApplicationServers

repudiation


37

The Three A’s Best PracticesAuthentication

• Repository-based authentication OSSO

(Default)– Use password profile to enforce the

password control such as password complexity failed login attempt

LDAP Server

complexity, failed login attempt, password reuse max, password life time, etc.

• Leverage Grid Control user th ti ti t O l Si l SiO l M t

EUSDefault

authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS)

– Simplify the identity management

Oracle ManagementRepository(OMR)

Simplify the identity management across the enterprise

– Both SSO and EUS enable your users to authenticate to Grid Control by using their credentials stored in LDAP server

Oracle Enterprise Manager

38

their credentials stored in LDAP server

The Three A’s Best PracticesAuthentication

• Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository

UPDATE MGMT CREATED USERSUPDATE MGMT CREATED USERSSET SYSTEM_USER=’-1’WHERE user_name=’SYSMAN’

• If you want to enable SYSMAN logging into Grid Control Console later on:

UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’1’WHERE user_name=’SYSMAN’

• Change password for both SYSMAN and MGMT_VIEW on a regular basis

– Prevent password crack attackstl fi h d h i db– emctl config oms -change repos pwd -change in db

– emctl config oms –change_view_user_pwd

39





Authentication



Authorization




ApplicationServers

repudiation


40

The Three A’s Best Practices Authorization Overview

• Two-step authorization process enables fine-grained access and segregation of d tiesgrained access and segregation of duties:

– Enterprise Manager authorization• Controls the access to the resources and

functionalities within Enterprise Manager


Oracle Enterprise– Manage target metrics thresholds– Set alert notification rules– Enable/disable Enterprise Manager packs

– Target authorization

Enterprise Manager Authorization


C t t t tg

• Controls the access to the resources and functionalities within the target

– CREATE new TABLE– Back-up database Jobs, Templates ApplicationTarget Target

Connect to target

p– Tune SQL

• Enforced by target security model• Depends on the credential used to connect to the

target

, pReports, etc


ppServers

Target TargetTarget

Target Authorization

41

target

The Three A’s Best Practices Authorization Overview

• Example:SQLTuning DBA

– Create new user, SQLTuningDBA, who is only responsible for tuning 2 of 100 managed database targets

• Enterprise Manager authorizationOracle Enterprise

Manager

– Create EM user SQLTuningDBA– Grant VIEW Target Privilege on the 2 DB targets of

interest• Target authorization

Connect as database user A

Connect as database user B

– Target credentials used should have the following database privileges

• select_any_catalog• administer sql tuning setDatabase 1 Database 2

• execute on dbms_workload_repository

Databases

42

The Three A’s Best Practices Enterprise Manager Authorization Overview

What type of administrator

should the

• Normal Enterprise Manager Administrator

H NO tshould the new user be?

– Has NO access to anything unless granted privileges

• Super Administratorp– Has FULL privileges on

all targets and the ability to create Super AdministratorsAdministrators

43


• Normal Enterprise Manager Administrator– Has NO access to anything unless granted

privileges• Super Administrator

– Has FULL privileges on all targets and the ability to create Super Administrators


should the

• Enterprise Manager offers 10 System P i il (4 i 11

ability to create Super Administrators

should the new user be?

Wh t S t

Privileges (4 new in 11g Release 1),e.g.,

– Should the user be able to VIEW any targets

What System Privilege(s) should the user have?

y g– Should the user be able

to ADD new targets?

44





What type of administrator should the



Wh t S t

• Should the user only be able to monitor the databases of his own


department? What target should the user be able to access?

• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,

– Should the user be able to VIEW any targetsShould the user be able to ADD new

45

– Should the user be able to ADD new targets?


• Enterprise Manager





should the

Enterprise Manager provides 7 Target Privileges, e.g.,

– Should the user be able


What Target Privilege(s)

h ld thshould the new user be?

Wh t S t

to blackout target 1, 2 and 3?

– Should the user be able to change metric

should the user have


threshold setting for target 4, 5 and 6?

• Whether the user is able to tune performance of

What targets should the

user be able to access? to tune performance of

target 1 depends on the credential he uses to connect to target 1



• Should the user only be able to monitor the databases of his own department?

46


The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges,

• If groups of targets are




p g p g ge.g.,

– Should the user be able to blackout target 1, 2 and 3?

– Should the user be able to change metric threshold setting for target 4, 5 and 6?

• Whether the user is able to tune performance of target 1 depends on the credential he uses to


should the

always monitored and managed in the same way, do we have to grant the privileges on these



h ld th



Wh t S t

the privileges on these individual targets to the user?

• Privilege Propagating



Group – Privileges granted on the group automatically granted on its members


user be able to access? its members




Privilege Propagating Group

47


The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges,




p g p g ge.g.,

– Should the user be able to blackout target 1, 2 and 3?

– Should the user be able to change metric threshold setting for target 4, 5 and 6?

• Whether the user is able to tune performance of target 1 depends on the credential he uses to

Role

• If there are a set of users


should the



h ld th


• If there are a set of users sharing the same responsibilities, do we have to grant all the


Wh t S t


individual privileges one by one to these users?

• Role -- Set of privilegesWhat System

Privilege(s) should the user have?

• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?

• Privilege Propagating Group – Privileges granted on the group automatically granted on its members


user be able to access?

members





48


The Three A’s Best Practices Enterprise Manager Authorization

• Reduce the number of Super Administrators– Super Administrators have FULL privilege on allSuper Administrators have FULL privilege on all

targets and could create additional Super Administrators

• Grant only the minimum set of privilegesFollow the principle of least privilege to grant only


– Follow the principle of least privilege to grant only the minimum set of privileges to the users to fulfill his responsibility

• Achieve segregation of duties and simplify authorization management

Authorization

authorization management– Grant roles instead of individual privileges to users– Use roles along with Privilege Propagating groups

• Monitor privilege/role operations through Jobs, Templates ApplicationEnterprise Manager Auditing

, pReports, etc


ppServers

49





Authentication



Authorization




ApplicationServers

repudiation


50

The Three A’s Best PracticesAudit

• Extended actions audited by Enterprise Manager – 61 actions (33 new actions in 11g Release 1)

For example User login/logoff and privilegeOracle Enterprise ManagerA th ti ti – For example, User login/logoff, and privilege

granting/revoking, changes on monitoring template, changes on user defined policies, and database target start/stop/restart

B ilt i t li ti i t ditAudit

Authentication

• Built-in externalization service to purge audit data from Repository and export to external file system automatically

emcli update audit setting -

Authorization

emcli update audit settingfile_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data retention period=<period in


ApplicationServers data ete t o pe od pe od

days>

• GUI interface to view and search audit data– Setup ->Management Service and Repository

A dit D t


51

-> Audit Data

TheThree A’s Best PracticesAudit

• Enable Audit for EM OperationsOracle Enterprise ManagerA th ti ti

emcli enable_audit

• If you only care about a subset of actions, you can just enable the auditing for them

li d t dit ttiAudit

Authentication

emcli update_audit_settings –audit_switch=”ENABLE” –operations_to_enable=”LOGIN;LOGOUT”

• Configure the externalization service to th dit d t f th R it

Authorization

purge the audit data from the Repository to an external file system on a regular basis.

emcli update audit settingJobs, TemplatesReports, etc

ApplicationServers p _ _ g

-directory="EM_DIR"-file_prefix="emgc_audit"-file_size="1000000"-data retention period="60“


52

-data_retention_period= 60





53

Security of Target AuthenticationCredential System

Enterprise ManagerGrid ControlEnterprise Manager

• Credentials– Credentials are typically username and

password required to access targets such

C ede t a Syste

Oracle Management

Usersp q gas databases, hosts, etc.

– Stored encrypted in Repository or Agent• Usages of credentials:

RepositoryOracle Management

Service

Credentials are storedencrypted

– Collect metrics in the background as well as in real-time

– Perform jobs like Backup, Patching, Cloning, etc.

Agent Agent Agent

TargetAuthentication

– Real-time target administration like start, stop,etc.

– Connect to My Oracle Support for patchesP f d d ti l b i

DatabaseSolaris Linux

ApplicationsWindows

Application Server

• Preferred credentials – per user basis– Default credential – per target type– Target credential – per target– Target credential overrides default

54

Targets– Target credential overrides default

credential

Target Authentication Best PracticesCredential System

• Do not set preferred credentials for group/common accounts, e.g., SYSMAN. The following SQL statement gives you the result of preferred credential setting:

Enterprise ManagerGrid Control result of preferred credential setting:

SELECT

t.target_name,tc.user_name,tc.credential_set_name

Oracle ManagementFROM MGMT TARGET CREDENTIALS tc, MGMT_TARGETS tWHERE tc.target_guid=t.target_guid

• Keep track of the operations on credential by

gRepository

Oracle Management

Preferred CredentialsUDM Collection CredentialsJob Credentials p p y

enabling auditing the corresponding actions• Use emcli verbs to synchronize credentials

between Enterprise Manager and its d b

Management Agent


Job Credentials

Monitoring Credentials

database targetsemcli update_db_password

user_name=“DBUserName”

change at target yes

Database

Database User

55

change at target=yes

Target Authentication Best PracticesHost Target Authentication

• Configure Pluggable Authentication Module(PAM) to take advantage of richConfigure Pluggable Authentication Module(PAM) to take advantage of rich authentication approaches to Host access

– Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity storage and management

– WebIV 422073 1: How to configure Agent with PAM to support LDAPWebIV 422073.1: How to configure Agent with PAM to support LDAP authentication

• Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager

Enable users to perform administrative tasks without providing credentials for

56

– Enable users to perform administrative tasks without providing credentials for functional accounts

Threats vs. Best Practices

Security Threats Best PracticesMan-in-the-Middle Attacks Securing the communication

Enable TLS v1 protocolEnable TLS v1 protocolConfigure firewalls……

Denial-of-Service Attacks Secure individual Enterprise ManagerDenial of Service Attacks Secure individual Enterprise Manager components……

Exploitation of Authorization Principle of least privilegesp p p gAuditing the authorization actions……

Password crack Attacks Change password on a regular basisEnable password profile to enforce password control……

Rep diation Enable a diting for Grid Control actions

57

Repudiation Enable auditing for Grid Control actions

Agenda



58

Oracle Enterprise ManagerManage its Own Securitya age ts O Secu ty

• Monitor its own security complianceOracle Enterprise Manager

– Security policies• Define the desired behaviors of systems in

terms of security– Security at a glance

Monitor EM security compliance

Fix EM security violations Security at a glance

• Provides an overview of the security health of the enterprise for all targets or specific groups

– Notification of violations


compliance violations

Oracle Management Notification of violations• Email, Page, SNMP Traps, etc.

• Fix its own security violations– Corrective actions


Repository

– CPU Advisory– Patching automation

• Connects to MOS to discover and pull in new patches


59

• Rapidly deploys security patches

Useful Whitepapers

• Oracle Database Security Best Practices– http://www oracle com/technetwork/database/security/twp-http://www.oracle.com/technetwork/database/security/twp

security-checklist-database-1-132870.pdf

• Oracle Weblogic Server Security Best Practiceshtt //d l d l /d / d/E12839 01/ b 1111/– http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf

• Oracle Enterprise Manager Security Deployment Best Practices– http://www.oracle.com/technetwork/oem/grid-control/twp-

security-best-practices-133704.pdfy p p

60

Additional Oracle Enterprise Manager Sessions

Thursday, Sept. 23 Location

• 3:00 p m The X Files: Managing the Oracle Exadata and • Moscone S Room• 3:00 p.m - The X-Files: Managing the Oracle Exadata and Highly Available Oracle Databases

• Moscone S. Room 102

• 3:00 p.m. - Monitoring and Diagnosing Oracle RAC Performance with Oracle Enterprise Manager

• Moscone S. Room 310Performance with Oracle Enterprise Manager 310

Oracle Enterprise Manager 11gResource Center

Access Videos, Webcasts, White Papers, and More

Oracle com/enterprisemanager11gOracle.com/enterprisemanager11g

<Insert Picture Here>

Appendix

65

Infrastructure Security Best PracticesOracle Management Repository

• Secure the Oracle Listener to defend Denial-of-Service (DoS) attacksO l M t of Service (DoS) attacks

– Enable Connection Rate Limiter feature• Configure

$TNS_ADMIN/admin/listener.ora


– Connection_rate_Listenername = n

– Rate_limit in ADDRESS section of listener endpoint configuration

• Listenername=(ADDRESS=


Grid Control Console(PROTOCOL=tcp)

(HOST=Server1)

(PORT=1521)

(RATE_LIMIT=yes))

– Please refer to the link for more information http://www.oracle.com/technetwork/database/enterprise-edition/oraclenetservices-connectionratelim-133050.pdf


66

p

Infrastructure Security Best PracticesSecure communication

• Secure lock OMS – Enforces the communication with OMS only

over SSL/TLSOracle Management

Repository over SSL/TLS– By default OMS is secure locked(10.2.0.5 and

after)– If your instance is upgraded from previous

version that is not secure locked please issueOracle Management

p y


version that is not secure locked, please issue the following command

• emctl secure lock

And the following command can tell you if your OMS is secure locked or not


OMS is secure locked or not• emctl status oms –details

HTTP Console Port : 7802

HTTPS Console Port : 5416

HTTP Upload Port : 7654

Management Agent

HTTP Upload Port : 7654

HTTPS Upload Port : 4473

Agent Upload is locked.

OMS Console is locked.

Active CA ID: 1


67

Active CA ID: 1



• Secure the agent– emctl status agent –secure

Oracle Management

p y


…Agent is secure at HTTPS Port 1838

OMS is secure on HTTPS Port 4473

– emctl secure agent


g

Management Agent


68


• Securing communication between OMSOracle Management

Repository Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)

Oracle Management

p y


– ASO is a DB option that combines network encryption, database encryption and strong authentication together to help customers address privacy and compliance


requirements– Ensures that the data between OMS and

Repository is secure from both confidentiality and integrity standpoints

Management Agent


69


• Securing communication between OMS and Repository by enabling network security Oracle Management

Repositoryfeature of Advanced Security Option (ASO)– Steps:

• Set the following OMS configuration parameters with the appropriate values by issuing the following Oracle Management

p y


pp p y g gcommand:

– emctl set property –name <property_name> -value <value>oracle.sysman.emRep.dbConn.enableEncryp

i


tion=true

oracle.net.encryption_client=REQUESTED

oracle.net.encryption_types_client={DES40C}

oracle.net.crypto_checksum_client=REQUE

Management Agent

STED

oracle.net.crypto_checksum_types_client={MD5}

• Add the following to Repository’s $TNS ADMIN/sqlnet ora


70

$TNS_ADMIN/sqlnet.ora– SQLNET.ENCRYPTION_SERVER = REQUESTED


• Enable the strong cipher suites for the communication between Enterprise Manager components

Oracle ManagementRepository g p

– Agent• Edit

$AGENT_HOME/sysman/config/emd.properties to configure the strong cipher suitesOracle Management

p y


g g pSSLCipherSuites= SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SHA


– OMS: • Update the following parameter in

$INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd em.conf and ssl.conf files

Management Agent

p _SSLCipherSuiteSSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SHA


71


• Use a certificate from well-known Certificate Authority (CA) for the communication


– Trusted certificates – Different expiry and key size that meet

special security rulesSteps:Oracle Management

p y


– Steps:• Create a wallet for each OMS in the grid.• Write certificates of all the Certificate

Authorities in the certificate chain into file trusted certs txt


trusted_certs.txt.• Download file trusted_certs.txt file to agents

host machines • Restart Agent after running the add_trust_cert

command.

Management Agent

co a demctl secure add_trust_cert -trust_certs_loc <location of trusted_certs.txt file>

• Secure OMS and restart it.emctl secure oms -wallet <location of wallet> -


72

emctl secure oms wallet location of wallet trust_certs_loc <loc of trusted_certs.txt>


• Firewall between browsers and Grid Control Console

– Configure the firewall to allow Grid Control Console to receive HTTP trafficOracle ManagementWeb-basedFirewall Control Console to receive HTTP traffic over 7778

• Or 7777 if Web cache is used in OMS home

– If Grid Control Console is secured as

BrowserService(OMS)

Web-basedGrid Control

77777778

4443

Firewall

If Grid Control Console is secured as mentioned earlier, configure firewall to allow Grid Control Console to receive HTTPS traffic over port 4443

73


• Configure firewall between OMS and Repository to allow Oracle Net traffic flow

– As mentioned earlier, to secure the communication between OMS and Repository, we need to enable Oracle ASO for Repository

Oracle ManagementService(OMS)

ManagementRepository

– ASO supports the following two types of firewalls

• Application proxy-based firewalls, such as Network Associates Gauntlet, or AxentRaptor

Firewall

SQL*Net

Raptor• Stateful packet inspection firewalls, such as

Check Point Firewall-1, or Cisco PIX Firewall

– Some vendors’ firewalls can be configured toSome vendors firewalls can be configured to recognize Oracle*Net traffic with their Oracle Net Proxy Traffic Kits

• Otherwise, define an ACL that allows traffic flow between the subnet hosting the OMS

74

and the subnet hosting the repository


• Privilege Propagating Group– A special group that the privileges granted on will be propagated to itsA special group that the privileges granted on will be propagated to its

nested and direct members• For a normal group, no matter what privileges (FULL,

OPERATOR or VIEW) on the group is granted to you, you’ll only get VIEW privileges on the group membersget VIEW privileges on the group members

– System privilege “Create Privilege Propagating Group” is required to create this type of group

– “Full privilege” on the target is required to add the target as a member of a group

– emcli verb to convert the normal group and privilege propagating group • emcli modify group –privilege propagating =true/falseemcli modify_group privilege_propagating true/false

• Privilege Propagating System, Redundancy Group, Aggregate Services

75


• Configure OMS to use proxy server for its its connections to My Oracle Support to check CPUs

Oracle ManagementCPUs

• Update the following OMS properties via emctl set property command:

– emctl set property –name <property> -

Service(OMS)

value <value>PROXYHOST=proxyhostname.domain

PROXYPORT =port

• If there are some agents on the hosts that

Firewall

• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor =

My Oracle Support

hostname1,hostname2

76

Manage Enterprise Manager SecurityMonitor its own Securityo to ts o Secu ty

• Security Policies– Help you quickly identify systems that

are not in compliance – Out-of-box policies adopted from industry

best practicesbest practices– Customize policies to meet specific

security need in your organization• Security at a glanceOracle Enterprise Manager

– Helps you to quickly focus on security issues by showing statistics about security policy violations and noting the critical security patches that have not Security Violations y pbeen applied• Compliance scores and Violation flux

• Notification of violations

y

77

– E-mail, Page, SNMP Traps, etc.

Manage Enterprise Manager SecurityFix its Own Security Violations

• Corrective actions to remediate• Corrective actions to remediate violations

• CPU Advisories• Patching automationPatching automation

– Connects to MOS to discover and pull in new patches

– Rapidly deploys security patchesOracle Enterprise Manager

Security Violations

Corrective Actions

78

- oracle › technetwork › oem › arch-deploy › ... · infrastructure security best practices...

Documents