oracle® advanced support gateway security guide · oracle® advanced support gateway security...

Oracle® Advanced Support GatewaySecurity Guide

Part No: E40643-24May 2018

Oracle Advanced Support Gateway Security Guide

Part No: E40643-24

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Exceptas expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerousapplications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take allappropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates arenot responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreementbetween you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info


http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

Référence: E40643-24

Copyright © 2018, Oracle et/ou ses affiliés. Tous droits réservés.

Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation etde divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre,distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à touteingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi.

Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vousinvite, le cas échéant, à lui en faire part par écrit.

Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour lecompte du Gouvernement des Etats-Unis, la notice suivante s'applique :


Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à êtreutilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadred'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dansdes conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour desapplications dangereuses.

Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétairesqu'Oracle.

Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marquesdéposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est unemarque déposée de The Open Group.

Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant detiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipuléedans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou desdommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle.

Accès aux services de support Oracle

Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant.




Oracle Advanced Support Gateway Security Guide

Part No: E40643-24

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Exceptas expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:


This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerousapplications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take allappropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates arenot responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreementbetween you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.




Référence: E40643-24

Copyright © 2018, Oracle et/ou ses affiliés. Tous droits réservés.

Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation etde divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre,distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à touteingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi.

Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vousinvite, le cas échéant, à lui en faire part par écrit.

Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour lecompte du Gouvernement des Etats-Unis, la notice suivante s'applique :


Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à êtreutilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadred'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dansdes conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour desapplications dangereuses.

Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétairesqu'Oracle.

Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marquesdéposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est unemarque déposée de The Open Group.

Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant detiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipuléedans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou desdommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle.

Accès aux services de support Oracle

Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant.




Contents

Oracle Advanced Support Gateway Security Guide ........................................... 9About Oracle Advanced Support Gateway ........................................................... 9General Requirements .................................................................................... 10Changes to the Security Guide Since the Last Release .......................................... 10Firewall Port Requirements ............................................................................. 11External Connection ....................................................................................... 12

TLS VPN and Oracle Advanced Support Gateway ...................................... 13Alternative External Connection Option .................................................... 14

Controlling Remote VPN Access Using the Green Button Icon .............................. 14Customer Access to the Gateway ..................................................................... 15Internal Connection ....................................................................................... 15Firewall Rules: Ports and Protocols .................................................................. 15

Firewall Rules for External Traffic ........................................................... 17Firewall Rules for External Traffic Through the Encrypted VPN Tunnel .......... 18

Firewall Rules for Internal Traffic .................................................................... 19Firewall Rules Between the Gateway and the Customer Network ................... 20Firewall Rules for Gateway Hardware Self Monitoring ................................. 21Firewall Rules Between the Gateway and Exadata ....................................... 22Firewall Rules Between the Gateway and ZDLRA ...................................... 24Firewall Rules Between the Gateway and ZFS ............................................ 26Firewall Rules Between the Gateway and Exalogic ...................................... 28Firewall Rules Between the Gateway and SuperCluster ................................ 30Firewall Rules Between the Gateway and Exalytics ..................................... 33Firewall Rules Between the Gateway and Oracle Database Appliance .............. 34Firewall Rules Between the Gateway and Oracle Big Data Appliance .............. 35Firewall Rules Between the Gateway and Oracle Standalone Hosts ................. 37Firewall Rules Between the Gateway and Oracle Third-Party Hosts ................ 38Firewall Rules Between the Gateway and Hosts to be Monitored by ADS ......... 39ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes .............. 40

7

Contents

Implementation Changes to a Customer System .................................................. 41The Monitoring Matrix ........................................................................... 41Implementation Impact on the Environment ............................................... 42All Systems With An Agent Deployed ...................................................... 43Engineered Systems ............................................................................... 44Engineered System Cisco Switches ........................................................... 44Engineered System Infiniband Switches .................................................... 45Engineered System PDU's ....................................................................... 45OVS Compute Nodes ............................................................................. 45Exalogic Compute Nodes (Physical Implementation) and Exalogic VirtualMachines / Control Virtual Machines ........................................................ 46ZFS Storage Array Storage Heads ............................................................ 46Pillar Axiom 600 Storage Arrays ............................................................. 47Utilization Impact Risk of OEM Cloud Control Agent on MonitoredSystems ............................................................................................... 47Backout Plan ........................................................................................ 48

Server Prerequisites for Monitoring Deployment ................................................. 48Server Prerequisites for Monitoring Deployment ......................................... 48Monitoring Access: an Overview ............................................................. 49User Privileges ...................................................................................... 49Solaris 11 Initial Setup User RBAC Profile ................................................ 51Solaris 10 Initial Setup User RBAC Profile ................................................ 53Solaris sudo Profile ............................................................................... 54Linux sudo Profile ................................................................................. 55

Storage Prerequisites for Monitoring Deployment ............................................... 55Monitoring Deployment: an Overview ...................................................... 56Oracle ZFS Storage Appliances ............................................................... 56

Audit Logging .............................................................................................. 57Enabling and Disabling Logging Messages ................................................ 59

Managing ASR Audit Logs ............................................................................. 61About ASR Audit Logs .......................................................................... 61Viewing ASR Audit Logs ....................................................................... 61Downloading ASR Audit Logs ................................................................ 62

8 Oracle Advanced Support Gateway Security Guide • May 2018

Oracle Advanced Support Gateway SecurityGuide

This document outlines the requirements for deploying Oracle Advanced Support Gateway intothe customer environment to support the delivery of certain Oracle remote services (hereafterreferred to as Oracle Services.) The Oracle Advanced Support Gateway is an important partof the Oracle delivery architecture for Oracle Services and its placement must be carefullyconsidered in order for Oracle to deliver Oracle Services. This document outlines networkconfiguration options when integrating the Oracle Advanced Support Gateway device withinthe customer environment. To help explain these options, this document assumes a "simple"customer-side network topology. However, these options can extend to more complex networktopologies.

About Oracle Advanced Support Gateway

Oracle Advanced Support Gateway is a multi-purpose platform designed to facilitate a numberof Oracle Services including Oracle Platinum Services, Advanced Monitoring and Resolution,LifeCycle services, and Business Critical Service for Systems. The Oracle Advanced SupportGateway enables the simplification of network requirements and a single point of access for theprovision and delivery of these services.

The Gateway platform is based on the Oracle Linux operating system and hosts a full setof Oracle software stacks, including Automated Service Request (ASR), Oracle EnterpriseManager (12c or 13c), Oracle Configuration Manager, patch management (such as YUMservices), and a suite of Java applications. Together, these applications aggregate androute telemetry messages from the customer environment to the Oracle Support Servicesinfrastructure. The Oracle Advanced Support Gateway provides remote access for Oracleengineers to access the customer network (with customer permission) and to carry out approvedactions on customers' monitored systems.

Oracle Advanced Support Gateway Security Guide 9

General Requirements

General Requirements

There are a number of general requirements that are necessary for Oracle to deliver OracleServices:

■ An Oracle Advanced Support Gateway must be provisioned into the customer'senvironment.

■ All monitored systems must be network accessible from Oracle Advanced SupportGateway.

■ The monitored systems must be dedicated to the customer. Oracle will not be able to deliverservices for monitored systems which are not exclusively owned and controlled by thecustomer. Oracle recommends a dedicated, physical server. The Gateway can be deployedin a VM instance running on a standalone Oracle Virtual Machine (OVM) server. No othervirtualization technologies, for example, VMWare, are supported.

■ Oracle must have access to certain ports and protocols (described below) in order toimplement and deliver Oracle Services.

■ The Oracle Advanced Support Gateway must be continuously accessible from the OracleSupport Platform using the secure protocols described below. However, Oracle AdvancedSupport Gateway must not be directly exposed to the Internet.

In order to expedite the implementation process, the customer will be required to provide highlevel network topology which should include:

■ IP numbering scheme■ Routing policy■ Locations of firewalls■ Locations of monitored systems■ Proposed location of Gateway

Having this information enables Oracle to provide a recommendation regarding OracleAdvanced Support Gateway placement.

Changes to the Security Guide Since the Last Release

This section outlines the principal changes made to the Oracle Advanced Support GatewaySecurity Guide since the last release (E40643-23; April 2018.)

■ One of the NTP servers (137.254.105.5/32) to which customers required access through theVPN tunnel (for IPsec as well as for SSL-VPN) has been removed in this release as it is nolonger required.


Firewall Port Requirements

The NTP servers to which access is now required are as follows:■ 192.206.43.197/32■ 198.51.38.199/32

Refer to “Firewall Rules for External Traffic Through the Encrypted VPNTunnel” on page 18 for further informatiion.

■ A firewall rule has been added - and the source and destination values swapped to correct anerror in version 23 of Oracle Advanced Support Gateway Security Guide - for the followingsystems in order to provide support for the Patch Download service over TCP on port 443:■ Exadata: DB Nodes and DomU■ ZDLRA: Compute Node■ Exalogic: Compute Node

Exalogic: OVS Compute NodeExalogic: Control VMs

■ Supercluster: Primary Domains■ Exalytics: Domains, Dom0, and DomU■ Oracle Database Appliance: DB, DomU, and Compute Node■ Oracle Big Data Appliance: Compute Node and DomU■ Oracle Standalone Hosts: Host■ Oracle Third Party Hosts: Host■ ADS Hosts: Host

Refer to the individual firewall tables in “Firewall Rules for Internal Traffic” on page 19for further informatiion.

■ An optional firewall rule has been added for users of the Oracle Advanced Monitoring andResolution and Oracle Lifecycle Support services to access the Reporting Dashboard onOracle Advanced Support Gateway.

Firewall Port RequirementsThe specifics of the Oracle Services network requirement depends on the customer networktopology relative to the Oracle Services Support centers, Oracle Advanced Support Gateway,and the monitored systems. The customer networks must be configured to permit traffic flow asshown in the diagram below.

The firewall rules must be set up to allow traffic flow in two situations:

■ Between Oracle Advanced Support Gateway and Oracle Services Support centers. This isreferred to as the external connection.


External Connection

Note - A web proxy can be used to proxy the HTTPS traffic across the external connection.However, Oracle Advanced Support Gateway does not support NTLM or Kerberos proxyauthentication. The Transport Layer Security (TLS) VPN traffic cannot be routed through aproxy server.

Caution - To defend against security attacks, you should never connect Oracle AdvancedSupport Gateway interfaces or the Oracle ILOM Service Processor to a public network, suchas the Internet. The Gateway should never be exposed directly to the Internet without theprotection of a customer firewall or Access Control List (ACL.) You should keep the OracleILOM Service Processor management traffic on a separate management network and grantaccess only to system administrators. For further information, see the section on Securing thePhysical Management Connection in the Oracle ILOM Security Guide.

■ Between Oracle Advanced Support Gateway and the customer's monitored devices, througha customer-controlled firewall or other security devices. This is referred to as the internalconnection.

The diagram below depicts an example traffic flow between monitored systems and Oracle.(Detailed firewall rules and templates are provided to the customer during the implementationprocess.)

FIGURE 1 High Level Traffic Flow and Firewall Requirement

External Connection

Oracle utilizes a combination of a VPN solution and TLS to secure communications betweenOracle Advanced Support Gateway, located within the customer's environment, and the Oracle


http://docs.oracle.com/cd/E37444_01/html/E37451/z40006791391667.html

http://docs.oracle.com/cd/E37444_01/html/E37451/z40006791391667.html

External Connection

Services Support center locations. The VPN is primarily used for tasks such as facilitatingpatching requirements from Oracle Services Support center locations to Oracle AdvancedSupport Gateway and TLS is used for transporting the monitoring telemetry from OracleAdvanced Support Gateway to the Oracle Services Support center locations.

TLS VPN and Oracle Advanced Support Gateway

The Oracle Advanced Support Gateway is configured with a software TLS-based VPN client.When the Gateway boots up, it opens an outbound connection to one of three Oracle ServicesSupport centers, establishing a TLS VPN tunnel. At that point, this connection is used forinbound connectivity between the Oracle Services Support center and the Gateway. No inboundfirewall port openings are required, as the initial connection is outbound. The Gateway isassigned a unique ID and password and connects to one of three Oracle VPN concentrators. TheTLS-based VPN has the following features:

■ Connection based on TLS 1.2, AES256 symmetric encryption to ensure traffic integrity andconfidentiality

■ Continuous VPN connection availability through the use of active/passive VPN clusterservers at the Oracle Services Support centers. Any hardware or software issues on theactive VPN server failover all connections to the backup VPN.

■ Disaster recovery processes that use multiple clusters around the world. Any connectionissue with one of the Oracle Services Support centers failover client connections to the otherOracle Services Support centers.

FIGURE 2 A TLS-Based VPN Client Connection from Oracle Advanced Support Gateway toOracle


Controlling Remote VPN Access Using the Green Button Icon

Note - The TLS VPN is the standard method for establishing the connection with Oracle.Alternative connection methods are available on an exception, customer-by-customer basisthat is summarized in “Alternative External Connection Option” on page 14. If you wish toexplore these options further, please contact your Oracle Implementation Manager.

Alternative External Connection Option

Oracle offers an alternate method for establishing a connection using IPSec. The connectionis terminated on the customer's existing VPN hardware. This option generally requires anextended implementation cycle and is approved on an exception basis. If the customer choosesto use their existing VPN device (for example, firewall or VPN concentrator) as a terminationpoint, the VPN overall requirements described above remain the same. The encryption domainrequirements for this connection will create a more complex configuration.

The requirements include, but are not limited to:

■ A public IP per Gateway connection supplied by the customer for use inside the VPNencryption domain;

■ Access to one /26 subnet and multiple /32 addresses inside the encryption domain;■ Allowing the ports and protocols listed in the table specifying firewall rules between

the Gateway and Oracle standalone hosts in this guide (see “Firewall Rules Between theGateway and Oracle Standalone Hosts” on page 37) to communicate across the VPN;

■ Network Address Translation (NAT) can be used for the source address of the Gatewayoutbound to the Internet for external communication back to Oracle. For the Oracle Serviceendpoints to which the Gateway needs to communicate, NAT is not supported. These OracleService endpoints must reside on their public IP addresses.

Controlling Remote VPN Access Using the Green ButtonIcon

Oracle security policies require a VPN between Oracle and the customer so that Oracle canaccess the customer systems. The Oracle Advanced Support Gateway enables the customer tocontrol remote access to enable and disable VPN connectivity with Oracle. The Remote Accessicon, also referred to as the Green Button, is displayed in the utility menu on the top-right of theGateway user interface. You can set the duration of a VPN session, toggle the icon to turn theremote access session on or off, or view a history of remote access control sessions.


Customer Access to the Gateway

Note - Remote VPN Access ("Green Button") functionality is not available for all OracleConnected Services. Please refer to your Oracle representative for further details.

This feature is described in Oracle Advanced Support Gateway User's Guide.

Customer Access to the Gateway

After installation of Oracle Advanced Support Gateway is complete, Oracle retains access tothe Gateway and will require ongoing access to it for delivery of services (customer accessto the Lights Out Management (LOM) section of the server is permitted.) Customer access isauthorized only through the Customer Admin account which enables the use of the CLISHcommand line interface (CLI), and through the Gateway Web portal that the customer canaccess using a browser. This CLI exposes only those commands and configuration wizardsthat are intended for customer interaction and customization of the Gateway. Customers arenot authorized to access the Gateway using any other user account or other CLIs (such asbash or sh). Customers should not modify the Gateway to obtain access as other users (forexample, root) and should not install any software agentry (monitoring or management) onthe Gateway. To do so would represent unauthorized access to, or modification of, an Oraclemanaged system.

Internal Connection

Placing Oracle Advanced Support Gateway in a customer's DMZ that is not directly exposedto the Internet is the recommended internal connection option. By placing Oracle AdvancedSupport Gateway in a DMZ behind an Internet firewall, the customer has control of traffictraversing their internal networks and also of inbound connections from the Internet.

Firewall Rules: Ports and Protocols

This section provides information about the standard firewall port configurations necessary forthe delivery of Oracle Services.

Note - The final port and firewall requirements depend on the specific Engineered Systembeing monitored by Oracle Services, the connectivity method chosen, and the actual customernetwork design.



The following table outlines firewall port configurations and tables that provide information onmonitoring requirements. Each table is associated with the services and systems which apply toit, for example, All Services means all remotely delivered services: Oracle Platinum Services,Oracle Advanced Monitoring and Resolution, and Oracle Advanced Database Services (ADS.)

TABLE 1 Firewall Rules Tables, Other Monitoring Tables and Applicable Oracle Services and Systems

Table Description Applicable Oracle Services/Systems

“Firewall Rules for External Traffic” on page 17 All Oracle Services

“Firewall Rules Between the Gateway and the Customer Network” on page 20 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules for Gateway Hardware Self Monitoring” on page 21 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and Exadata” on page 22 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and ZDLRA” on page 24 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and ZFS” on page 26 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and Exalogic” on page 28 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and SuperCluster” on page 30 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and Exalytics” on page 33 ■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and Oracle DatabaseAppliance” on page 34

■ Oracle Advanced Monitoring and Resolution

“Firewall Rules Between the Gateway and Oracle Big DataAppliance” on page 35


“Firewall Rules Between the Gateway and Oracle StandaloneHosts” on page 37


“Firewall Rules Between the Gateway and Oracle Third-PartyHosts” on page 38


“Firewall Rules Between the Gateway and Hosts to be Monitored byADS” on page 39

■ Oracle Advanced Database Support (ADS)

“ZFS, Exalogic, and SuperCluster ASR Endpoint IP AddressChanges” on page 40

■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Firewall Rules for External Traffic Through the Encrypted VPNTunnel” on page 18

■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“The Monitoring Matrix” on page 41 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

“Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems” on page 47

All Oracle Services



Table Description Applicable Oracle Services/Systems

“Restricted User for Monitoring Deployment (AKSH Shell)” on page 56 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution

The firewall port configurations are divided into sections:

■ “Firewall Rules for External Traffic” on page 17■ “Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 18■ “Firewall Rules for Internal Traffic” on page 19

Firewall Rules for External Traffic

Note - The source for all these entries is Oracle Advanced Support Gateway. The rules inTable 2, “Firewall Rules Between Oracle Advanced Support Gateway and the Oracle ServicesSupport Center,” on page 17 apply to all of Oracle's Connected Services.

TABLE 2 Firewall Rules Between Oracle Advanced Support Gateway and the Oracle Services Support Center

Destination Destination IPAddress(es)

ApplicationProtocol

Network Protocol/Port

Purpose

adc-ps-ssl-vpn.oracle-occn.com

llg-ps-ssl-vpn.oracle-occn.com

tokyo-ps-ssl-vpn.oracle-occn.com

198.17.210.28

141.143.215.68

140.83.95.28

TLS VPN TCP/443 - TLS

UDP/443 - DTLS(Datagram TLS)

To establish a TLS VPN connection*between Oracle and Oracle AdvancedSupport Gateway.

*Cannot support communicationthrough an internet proxy.

dts.oracle.com 192.206.43.1 HTTPS TCP/443 To securely transport monitoring datato Oracle.

transport-adc.oracle.com 141.146.156.41 HTTPS TCP/443 To securely transport monitoring andother data to Oracle.

ccr.oracle.com 141.146.54.49 HTTPS TCP/443 To upload the customer's configurationdata to Oracle's centralizedconfiguration repository.

support.oracle.com 141.146.54.16 HTTPS TCP/443 To download patches onto OracleAdvanced Support Gateway from MyOracle Support (MOS) via the OracleEnterprise Manager (OEM) CloudControl UI.

login.oracle.comNote - Each hostnamecurrently resolves to multipleworking IP addresses. Accessto all addresses listed must bepermitted as Oracle will switch

209.17.4.8

156.151.58.18

141.146.8.119

HTTPS TCP/443 To connect to Oracle's centralizedauthentication site.



Destination Destination IPAddress(es)

ApplicationProtocol

Network Protocol/Port

Purpose

from one to another in the nearfuture.

linux-update.oracle.com

linux-update-adc.oracle.com

linux-update-ucf.oracle.com

137.254.56.42

137.254.56.42

156.151.58.24

HTTPS TCP/443 To patch Oracle Advanced SupportGateway and to download patches(from Unbreakable Linux Networkservers) for customers who havepatching services.

updates.oracle.com 141.146.44.51 HTTPS TCP/443 To provide patch downloads viaOracle Enterprise Manager (OEM).

acs-rac.oracle.com 129.157.65.44 HTTPS TCP/2056 When the Remote Access Controlfeature is active on Oracle AdvancedSupport Gateway (that is, the "GreenButton" is on), rsyslog is used to sendaudit logs to Oracle via a securedchannel.

ZFS Phone Home 129.157.65.13

129.157.65.14

141.146.1.169

ZFS PhoneHome

TCP/443 ZFS fault monitoring is shipped directto these Oracle systems. Used whenOracle Advanced Support Gatewayhosts a proxy server for the ZFSControllers.Note - ZFS Controllers may alsobe known as ZFS Storage Heads.The term ZFS Controller is usedthroughout this document.

Firewall Rules for External Traffic Through theEncrypted VPN TunnelIf you use the Oracle-provided TLS VPN solution, the following table is informational only,illustrating the traffic transmitted over the VPN in support of Oracle Advanced SupportGateway. If the alternative VPN solution is used, the following traffic must be allowed tocommunicate over the VPN.

TABLE 3 Firewall Rules between Oracle Advanced Support Gateway and the Oracle Data Center Using VPN Tunnel

Source Destination Network Protocol/Port Purpose

Oracle Advanced SupportGateway

■ 192.206.43.197/32■ 198.51.38.199/32

NTP (UDP/123) Network Time Protocol (NTP)


■ 192.206.43.194/32■ 198.51.38.197/32

Syslog (TCP/514) Oracle Advanced SupportGateway Syslog


198.51.38.194/32 HTTPS (TCP/8080,9898) Oracle Advanced SupportGateway file integritymonitoring


Firewall Rules for Internal Traffic


198.51.38.193/32 Oracle Advanced SupportGateway

HTTPS (TCP/8080,9898) Oracle Advanced SupportGateway file integritymonitoring

■ 192.206.43.209/32■ 198.51.38.209/32■ 140.85.164.34/32


Security Scanner

■ TCP/UDP/1-65535■ ICMP (Types 8 & 0)

Oracle Advanced SupportGateway availability andsecurity scanning

■ 198.51.37.1/32■ 193.188.5.1/32■ 140.83.88.1/32■ 140.83.88.129/32■ 140.83.89.1/32■ 141.146.155.40/32■ 141.146.155.41/32■ 192.206.43.208/32■ 198.51.38.208/32


■ ICMP (Types 8 & 0)■ SSH (TCP/22)■ HTTPS (TCP/443,

7799,9702)■ SGD (TCP/5307)

Management traffic to remotelymanage Oracle AdvancedSupport Gateway and alsofacilitate remote access


■ 192.206.43.196/32■ 198.51.38.198/32

HTTPS (TCP/443) REST services for OracleAdvanced Support Gateway


■ 192.206.43.193/32■ 198.51.38.196/32

LDAP (TCP/636) Oracle Advanced SupportGateway authentication(LDAP)


This section provides internal firewall rules tables for the customer network, Oracle AdvancedSupport Gateway hardware self monitoring, Exadata Database Machine (Exadata), ZeroData Loss Recovery Appliance, ZFS Storage Appliance Racked System, Exalogic ElasticCloud (Exalogic), SuperCluster, Exalytics In-Memory Machine (Exalytics), Oracle DatabaseAppliance, Oracle Big Data Appliance, Oracle Cloud at Customer, Oracle Exadata Cloud atCustomer, and standalone hosts (both Oracle and third-party.)

This section also provides an internal firewall rules table between the Gateway and the hoststo be monitored by Oracle Advanced Database Support (ADS). Finally, this section containsa table listing ASR Endpoint IP address changes that apply to the following: ZFS StorageAppliance Racked System, Exalogic, and SuperCluster.

To see which of the following tables apply for Oracle Platinum Services, please see the Oracle-certified Platinum Services configurations on the Oracle Support website.


http://www.oracle.com/us/support/library/certified-platinum-configs-1652888.pdf

http://www.oracle.com/us/support/library/certified-platinum-configs-1652888.pdf


Note - If communication between management interfaces (that are connected to the Cisco IPswitch within the Engineered System) is separated by a firewall, Access Control List (ACL),or any form of network filtering, the firewall rules must allow communication between theseinterfaces.

■ “Firewall Rules Between the Gateway and the Customer Network” on page 20■ “Firewall Rules for Gateway Hardware Self Monitoring” on page 21■ “Firewall Rules Between the Gateway and Exadata” on page 22■ “Firewall Rules Between the Gateway and ZDLRA” on page 24■ “Firewall Rules Between the Gateway and ZFS” on page 26■ “Firewall Rules Between the Gateway and Exalogic” on page 28■ “Firewall Rules Between the Gateway and SuperCluster” on page 30■ “Firewall Rules Between the Gateway and Exalytics” on page 33■ “Firewall Rules Between the Gateway and Oracle Database Appliance” on page 34■ “Firewall Rules Between the Gateway and Oracle Big Data Appliance” on page 35■ “Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 37■ “Firewall Rules Between the Gateway and Oracle Third-Party Hosts” on page 38■ “Firewall Rules Between the Gateway and Hosts to be Monitored by ADS” on page 39■ “ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes” on page 40

Firewall Rules Between the Gateway and theCustomer Network

The ports outlined in this table are required for accessing the Oracle Advanced SupportGateway customer interfaces (command line and web interfaces) as well as ports required forintegrating syslog and user management email notifications.

TABLE 4 Firewall Rules Between the Gateway and the Customer Network


Customer User Desktop/Intranet


ICMP Type 0 and 8 Optional: Used by customers to testconnectivity to the Gateway from theirinternal networks.


Customer default gateway onDMZ

ICMP Type 0 and 8 Ping between the Gateway and the defaultrouter is temporarily used during installationof the Gateway to confirm networkconnectivity.



TCP/22 Customer access to CLI for network andsyslog configuration of the Gateway.






HTTPS (TCP/443) Customer access to Portal interface foradministration of the Gateway and access toservices.


Customer syslog server UDP/514 Rule required if the customer enables theOracle Advanced Support Gateway AuditLogging feature.


Oracle Advanced SupportGateway ILOM

TCP/22 Customer access from ILOM to assist infailure troubleshooting.



HTTPS (TCP/443) Customer access from ILOM to assist infailure troubleshooting.



HTTPS (TCP/7799) (Optional)

Users of the Oracle Advanced Monitoringand Resolution service and the OracleLifecycle Support services can access aReporting Dashboard on Oracle AdvancedSupport Gateway.

Firewall Rules for Gateway Hardware SelfMonitoringThis section provides an internal firewall rules table for Oracle Advanced Support Gatewayhardware self monitoring.

Note - This functionality is required only if the Gateway ILOM has been configured on adifferent network than the Gateway Ethernet network interfaces.

TABLE 5 Firewall Rules for Gateway Hardware Self Monitoring


Bidirectional (OracleAdvanced SupportGateway ILOM andOracle Advanced SupportGateway)

Bidirectional (OracleAdvanced Support GatewayILOM and Oracle AdvancedSupport Gateway)

ICMP Type 0 and 8 Used to test bidirectional networkconnectivity



SNMP (UDP/162) SNMP traps for ASR telemetry (Gatewayhardware self monitoring)



RCMP+ (UDP/623;TCP/623)

Management and monitoring via ILOMinterface (IPMI)



SNMP (UDP/161) SNMP for ASR telemetry (Gatewayhardware self monitoring)



SSH (TCP/22) Management and configuration of ILOM






ASR (TCP/6481) ASR for discovery and monitoring byservice tags



HTTPS (TCP/443) Monitoring configuration and faultdiagnostic collection

Firewall Rules Between the Gateway and ExadataThis section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exadata Database Machine.

TABLE 6 Firewall Rules Between the Gateway and Exadata

ApplicationProtocol

Source Interface(s) Destination Interface(s) NetworkProtocol/Port

Purpose

ICMP All monitored interfaces Oracle Advanced SupportGateway

ICMP Type 0and 8

Used to test network connectivitybetween customer systems and theGateway

ICMP Oracle Advanced SupportGateway

All monitored interfaces ICMP Type 0and 8

Used to test network connectivitybetween the Gateway and customersystems

OEM Oracle Advanced SupportGateway

DB Node and DomU TCP/1830-1839

OEM Agent communication;typically port 1830 is used forOracle Services

SNMP Oracle Advanced SupportGateway

Infiniband

PDU

Cisco Switch

Cell Node ILOM

Cell Node

DB Node ILOM

DB Node and DomU

UDP/161 SNMP for ASR telemetry

ASR Oracle Advanced SupportGateway

Infiniband

Cell Node

Cell Node ILOM

DB Node

DB Node ILOM

TCP/6481 ASR for discovery and monitoringby service tags

HTTPS Oracle Advanced SupportGateway

Cell Node ILOM

DB Node ILOM

TCP/443 Monitoring configuration and faultdiagnostic collection



ApplicationProtocol


Purpose

Infiniband

HTTPS DB Node and DomU Oracle Advanced SupportGateway

TCP/443 Patch Download Service forpatching support.

HTTP/HTTPS


PDUNote - In late Exadata X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)

TCP/80(HTTP)

Or

TCP/443(HTTPS)

PDU web interface for monitoringconfiguration and diagnostics

SSH Oracle Advanced SupportGateway

Infiniband

Cell Node

Cell Node ILOM

DB Node and DomU

DB Node ILOM

PDU

TCP/22 Monitoring configuration, faultdiagnostics and patching

SSH DB Node and DomU Infiniband

Cell Node

Cell Node ILOM

DB Node

DB Node ILOM

PDU

Cisco Switch

TCP/22 Monitoring of hardware components

SNMP DB Node and DomU PDU

Cisco Switch

UDP/161 Monitoring of hardware components

SSH/Telnet Oracle Advanced SupportGateway

Cisco Switch (older switchessupport only Telnet)

TCP/22 (SSH)

Or

TCP/23(Telnet)

Monitoring configuration, faultdiagnostics and patching

SQL Oracle Advanced SupportGateway

DB listener IP (VIP)Note - If a database is onlylistening on a Client/VIP, thenaccess to this interface must alsobe allowed.

DB listenerport, default isTCP/1521

DB listener port for discovery andongoing monitoringNote - This is not required forPlatinum Services customers.

RCMP+ Oracle Advanced SupportGateway

Cell Node ILOM

DB Node ILOM

UDP/623,TCP/623

Management and monitoring viaILOM interface (IPMI)



ApplicationProtocol


Purpose

HTTPS(OEMAgent)

DB Node and DomU Oracle Advanced SupportGateway

TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Exadata, customers mustadd static routes to force all trafficwith Oracle Advanced SupportGateway as its destination to use theManagement Network as a primaryinterface for communication. Thestatic route must be permanentbecause in the event of any restartof the nodes, the route will bedeleted and communication betweenthe agents and Oracle AdvancedSupport Gateway will go down.

SNMP Infiniband

PDU

Cisco Switch

Cell Node ILOM

Cell Node

DB Node ILOM

DB Node


UDP/162 SNMP for monitoring events and/ornetwork monitoring

Firewall Rules Between the Gateway and ZDLRA

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Zero Data Loss Recovery Appliance (ZDLRA).

TABLE 7 Firewall Rules Between the Gateway and Zero Data Loss Recovery Appliance

ApplicationProtocol


Purpose


ICMP Type 0and 8






Compute Node TCP/1830-1839

OEM Agent communication;typically port 1830 is used forOracle Services



ApplicationProtocol


Purpose


Infiniband

PDU

Cisco Switch

Storage Node ILOM

Storage Node

Compute Node ILOM

Compute Node


SNMP DB Node and DomU PDU

Cisco Switch

UDP/161 Monitoring of hardware components


Infiniband

Storage Node

Storage Node ILOM

Compute Node

Compute Node ILOM



Storage Node ILOM

Compute Node ILOM

Infiniband


HTTPS Compute Node Oracle Advanced SupportGateway


HTTP/HTTPS


PDUNote - In late Exadata X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)

TCP/80(HTTP)

Or

TCP/443(HTTPS)



Infiniband

Storage Node

Storage Node ILOM

Compute Node

Compute Node ILOM

PDU




TCP/22 (SSH) Monitoring configuration, faultdiagnostics and patching



ApplicationProtocol


Purpose

Or

TCP/23(Telnet)


DB listener IP (VIP)Note - If a database is onlylistening on a Client/VIP, thenaccess to this interface must alsobe allowed)


DB listener port for discovery andongoing monitoring


Storage Node ILOM

Compute Node ILOM

UDP/623,TCP/623

Management and monitoring viaILOM interface (IPMI)

HTTPS(OEMAgent)

Compute Node Oracle Advanced SupportGateway

TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Zero Data LossRecovery Appliance, customersmust add static routes to forceall traffic with Oracle AdvancedSupport Gateway as its destinationto use the Management Networkas a primary interface forcommunication. The static routemust be permanent because inthe event of any restart of thenodes, the route will be deleted andcommunication between the agentsand Oracle Advanced SupportGateway will go down.

SNMP Infiniband

PDU

Cisco Switch

Storage Node ILOM

Storage Node

Compute Node ILOM

Compute Node



Firewall Rules Between the Gateway and ZFS

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle ZFS Storage Appliance Racked System (ZFS).



TABLE 8 Firewall Rules Between the Gateway and ZFS Storage Appliance Racked System

ApplicationProtocol


Purpose


ICMP Type 0and 8






ZFS Controllers

ZFS ILOM

TCP/22 Monitoring configuration, faultdiagnostics, and patching


PDU TCP/22 Monitoring configuration, faultdiagnostics and patching


PDU TCP/443(HTTPS)



ZFS ILOM TCP/443 Monitoring configuration and faultdiagnostic collection


ZFS Controllers TCP/215 OEM plug-in communication to ZFSfor monitoring


PDU

ZFS ILOM

ZFS Controllers


SNMP PDU Oracle Advanced SupportGateway

UDP/162 SNMP for Monitoring Events


ZFS ILOM UDP/623,TCP/623

Management and monitoring usingthe ILOM interface (IPMI)

ZFS PhoneHome

ZFS Controllers asr-services.oracle.com

inv-cs.oracle.com

transport.oracle.com

Or

Proxy IP

TCP/443 orproxy port

ZFS Phone Home can also supportan internet proxy

Direct access or proxy to:

129.157.65.13

129.157.65.14

141.146.1.169

ZFS PhoneHome

ZFS Controllers Oracle Advanced SupportGateway

TCP/8000 Gateway hosting a proxy server

SSH ZFS Controllers Oracle Advanced SupportGateway

TCP/22 Used to copy patches from thegateway to the ZFS arrays as SCP isavailable only to pull from a remotesystem to the ZFS array.



Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracleusing port 443.

Firewall Rules Between the Gateway and Exalogic

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exalogic Elastic Cloud.

TABLE 9 Firewall Rules Between the Gateway and Exalogic

ApplicationProtocol


Purpose


ICMP Type 0and 8




Used to test network connectivitybetween the Gateway andcustomer systems


Compute Node

Control VMs (virtual only)

TCP/1830-1839 OEM Agent communication,typically 1830 is used for OracleServices


Infiniband

PDU

Cisco Switch

Compute Node

Compute Node ILOM

Virtual Instances



Compute Node

Compute Node ILOM

Infiniband



Compute Node ILOM

Infiniband

ZFS ILOM


HTTPS Compute Node

OVS Compute Node

Control VMs





ApplicationProtocol


Purpose


ZFS ILOM

ZFS Controllers


HTTP/HTTPS Oracle Advanced SupportGateway

PDUNote - In late Exalogic X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)

TCP/80 (HTTP)

Or

TCP/443(HTTPS)



PDU TCP/22 Monitoring configuration, faultdiagnostics and patching


Infiniband


ZFS Controllers

Compute Node

ZFS ILOM

Compute Node ILOM




TCP/22 (SSH)

Or

TCP/23 (Telnet)



Control VMs (Virtual only)Note - If a database is onlylistening on a Client/VIP accessto this interface must also beallowed.


DB listener port for discovery andongoing monitoring


Compute Node ILOM

ZFS ILOM

UDP/623,TCP/623

Management and monitoring usingthe ILOM interface (IPMI)


Compute Node TCP/7001-7002 Monitoring install and diagnosticscollection

HTTPS - ZFSagent


ZFS Controllers TCP/215 OEM plug-in communication toZFS for monitoring

HTTPS (OEMagent)

Compute Node



TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Exalogic, customersmust add static routes to forceall traffic with Oracle AdvancedSupport Gateway as its destinationto use the Management Networkas a primary interface forcommunication. The static routemust be permanent because in



ApplicationProtocol


Purpose

the event of any restart of thenodes, the route will be deleted andcommunication between the agentsand Oracle Advanced SupportGateway will go down.

SNMP Infiniband

PDU

Cisco Switch

Compute Node

Compute Node ILOM


UDP/162 SNMP for Monitoring Events

HTTP Compute Node (Solaris)

Zones


TCP/5555 Solaris Explorer uploads forautomatic uploads for events

HTTPS Compute Node (Solaris)

Zones


TCP/8234 ASR Assets to communicate withASR Manager

ZFS PhoneHome


inv-cs.oracle.com


Or

Proxy IP




129.157.65.13

129.157.65.14

141.146.1.169

ZFS PhoneHome



Firewall Rules Between the Gateway andSuperCluster

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle SuperCluster.

TABLE 10 Firewall Rules Between the Gateway and SuperCluster

ApplicationProtocol

Source Interface(s) Destination Interface(s) Network Protocol/Port

Purpose


ICMP Type 0 and 8 Used to test networkconnectivity between customersystems and the Gateway



ApplicationProtocol


Purpose

ICMP Oracle AdvancedSupport Gateway

All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customer systems

OEM Oracle AdvancedSupport Gateway

All Domains

Zones based on monitoringservice

TCP/1830-1839 OEM agent communication,typically 1830 is used forOracle Services

SNMP Oracle AdvancedSupport Gateway

Infiniband

PDU

Cisco Switch

SPARC Server ILOMs(virtual/floating addresses aswell as physical addresses)

Primary Domains

Cell Node

Cell Node ILOM


ASR Oracle AdvancedSupport Gateway

Infiniband


Primary Domains

Cell Node

Cell Node ILOM

TCP/6481 ASR for discovery andmonitoring by service tags

HTTPS Oracle AdvancedSupport Gateway


Infiniband

ZFS ILOM

Cell Node ILOM

TCP/443 Monitoring configuration andfault diagnostic collection

HTTPS Primary Domains Oracle Advanced SupportGateway


HTTPS - ZFS agent Oracle AdvancedSupport Gateway

ZFS Controllers TCP/215 OEM plug-in communication toZFS for monitoring

SSH Oracle AdvancedSupport Gateway

Infiniband

ZFS Controllers

ZFS ILOM




ApplicationProtocol


Purpose

SPARC Server ILOMs(Virtual/Floating addresses aswell as Physical addresses)

Cell Node ILOM

Cell Node

PDU

All Domains

Zones based on monitoringservice

HTTP/HTTPS Oracle AdvancedSupport Gateway

PDU TCP/80 (HTTP)

Or

TCP/443 (HTTPS)

PDU web interface formonitoring configuration anddiagnostics

SSH/Telnet Oracle AdvancedSupport Gateway


TCP/22 (SSH)

Or

TCP/23 (Telnet)


SQL Oracle AdvancedSupport Gateway

Database domains/zones

Client/VIPNote - if a database is onlylistening on a Client/VIP,access to this interface mustalso be allowed.

DB listener port,default is TCP/1521

DB listener port for discoveryand ongoing monitoringNote - This is not required forPlatinum Services customers.

RCMP+ Oracle AdvancedSupport Gateway


Cell Node ILOM

ZFS ILOM

UDP/623, TCP/623 Management and monitoringusing ILOM interface (IPMI)

WebLogic Oracle AdvancedSupport Gateway

WebLogic instances TCP/7001-7002 Monitoring install anddiagnostics collection

HTTPS (OEMAgent)

All Domains

Zones based onmonitoring service


TCP/1159 OEM agent communicationto Oracle Advanced SupportGatewayNote - For SuperCluster,customers must add staticroutes to force all traffic withOracle Advanced SupportGateway as its destination touse the Management Networkas a primary interface forcommunication. The static route



ApplicationProtocol


Purpose

must be permanent because inthe event of any restart of thenodes, the route will be deletedand communication betweenthe agents and Oracle AdvancedSupport Gateway will go down.

SNMP Primary Domains

Infiniband

PDU

Cisco Switch

SPARC Server ILOMs(virtual/floatingaddresses as well asphysical addresses)

Cell Node

Cell Node ILOM


UDP/162 SNMP for monitoring events

HTTP Primary Domains Oracle Advanced SupportGateway

TCP/5555 Solaris Explorer uploads forautomatic uploads for events

HTTPS Primary Domains Oracle Advanced SupportGateway

TCP/8234 ASR Manager to communicatewith ASR Assets


SuperCluster Control Domain TCP/8000 Access to the IO DomainCreation Tool for Monitoringand log file collection

ZFS Phone Home ZFS Controllers asr-services.oracle.com

inv-cs.oracle.com


Or

Proxy IP

TCP/443 or proxyport

ZFS Phone Home can alsosupport an internet proxy


129.157.65.13

129.157.65.14

141.146.1.169

ZFS Phone Home ZFS Controllers Oracle Advanced SupportGateway


Firewall Rules Between the Gateway and Exalytics

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exalytics In-Memory Machine.



TABLE 11 Firewall Rules Between the Gateway and Exalytics

Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose

ICMP All monitoredinterfaces


ICMP Type 0 and 8 Used to test networkconnectivity betweencustomer systems and theGateway


All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customersystems


Exalytics and ExalyticsILOM





HTTPS Exalytics CDom Oracle Advanced SupportGateway

TCP/8234 ASR Manager tocommunicate with ASRAssets


Exalytics Domains andDomU

TCP/1830-1839 OEM Agent communication,typically 1830 is used forOracle Services


Exalytics Domains, DomU,Dom0, and ILOM

TCP/22 Monitoring configuration,fault diagnostics and patching

SNMP Exalytics CDom andILOM


UDP/162 SNMP for monitoring eventsand/or network monitoring

HTTPS (OEM Agent) Exalytics Domains andDomU


TCP/1159 OEM agent communicationto Oracle Advanced SupportGateway

RCMP+ Oracle AdvancedSupport Gateway

Exalytics ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)




HTTPS Exalytics Domains,DomU, and Dom0



Firewall Rules Between the Gateway and OracleDatabase Appliance

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Database Appliance.



TABLE 12 Firewall Rules Between the Gateway and Oracle Database Appliance








DB, Compute Node, andCompute Node ILOM



DB, Compute Node, andCompute Node ILOM



DB, DomU, or ComputeNode



DB, DomU, ComputeNode, and Compute NodeILOM


SNMP DB, Compute Node,and Compute NodeILOM



HTTPS (OEM Agent) DB, DomU, andCompute Node



RCMP+ (IPMI) Oracle AdvancedSupport Gateway

Compute Node ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)


DB or Compute NodeILOM


HTTPS DB, DomU, andCompute Node



Firewall Rules Between the Gateway and OracleBig Data Appliance

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Big Data Appliance.



TABLE 13 Firewall Rules Between the Gateway and Oracle Big Data Appliance








Infiniband

PDU

Cisco Switch

Compute Node ILOM

DomU, or Compute Node



Infiniband

Compute Node

Compute Node ILOM



DomU

Or

Compute Node



Infiniband

DomU

Compute Node ILOM

PDU


SNMP Infiniband

PDU

Cisco Switch

Compute Node ILOM

Compute Node



HTTPS (OEM Agent) Compute Node

DomU



RCMP+ (IPMI) Oracle AdvancedSupport Gateway

Compute Node ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)





Compute Node ILOM

Infiniband


HTTPS Compute Node

DomU



SSH/Telnet Oracle AdvancedSupport Gateway

Cisco Switch (olderswitches support onlyTelnet)

TCP/22 (SSH)

Or

TCP/23 (Telnet)

Monitoring configuration,fault diagnostics and patching

HTTP Oracle AdvancedSupport Gateway

PDU TCP/80 (HTTP)

TCP/443 (HTTPS)

PDU web interface formonitoring configuration anddiagnostics

HTTP/HTTPS Oracle AdvancedSupport Gateway

Cloudera Manager TCP/7180 (HTTP)

Or

TCP/7183 (HTTPS)

Cloudera Manager webinterface for monitoringconfiguration and diagnostics.

The Cloudera Manager mustbe HTTPS or HTTP. Thecustomer may change thedefault ports.

Firewall Rules Between the Gateway and OracleStandalone Hosts

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle standalone hosts.

TABLE 14 Firewall Rules Between the Gateway and Oracle Standalone Hosts

ApplicationProtocol


Purpose


ICMP Type 0and 8






Host

Host ILOM (If Oracle Hardware)



Host TCP/1830-1839

OEM agent communication,typically 1830 is used for OracleServices



ApplicationProtocol


Purpose


Host




Host



SNMP Host

Host ILOM (If OracleHardware)



HTTPS(OEMAgent)

Host Oracle Advanced SupportGateway

TCP/1159 OEM agent communication toOracle Advanced Support Gateway


Host


UDP/623,TCP/623

Management and monitoring usingILOM interface (IPMI)


Host



HTTPS Host Oracle Advanced SupportGateway


HTTPS -ZFS agent


ZFS Controllers TCP/215 OEM plug-in communication to ZFSfor monitoring

HTTPS Primary Domain

Host


TCP/8234 ASR Manager to communicate withASR Assets

ZFS PhoneHome


inv-cs.oracle.com


Or

Proxy IP




■ 129.157.65.13■ 129.157.65.14■ 141.146.1.169

ZFS PhoneHome



Firewall Rules Between the Gateway and OracleThird-Party Hosts

This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle third-party hosts.



Note - ILOMs on non-Oracle hardware can be monitored by Oracle Advanced Monitoring andResolution. ILOMs on non-Oracle hardware cannot be monitored by Oracle Platinum Servicesor Oracle Auto Service Request (ASR).

TABLE 15 Firewall Rules Between the Gateway and Third-Party Standalone Hosts

ApplicationProtocol


Purpose


ICMP Type 0and 8






Host

Host ILOM (if Oracle hardware)



Host TCP/1830-1839



Host TCP/22 SSH connection for implementationand ongoing support

SNMP Host

Host ILOM (if Oraclehardware)



HTTPS(OEMAgent)





Firewall Rules Between the Gateway and Hosts tobe Monitored by ADSThis section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and hosts to be monitored by Oracle Advanced Database Support (ADS).

Note - Oracle Advanced Database Support (ADS), an Oracle service that offers database faultmonitoring with automatic service request submission, database security compliance reporting,proactive database health checks, and remote patch deployment, may be added to Platinumand non-Platinum systems for a fee. Please contact your Oracle representative for furtherinformation.



TABLE 16 Firewall Rules Between the Gateway and Hosts to be Monitored by Oracle Advanced Database Support(ADS)

ApplicationProtocol


Purpose


ICMP Type 0and 8






Host TCP/22 SSH connection for implementationand ongoing support


Host DB listenerport, default isTCP/1521

DB listener port for discovery andongoing monitoringNote - This is not required forPlatinum Services customers.


Host TCP/1830-1839


HTTPS(OEMAgent)





ZFS, Exalogic, and SuperCluster ASR Endpoint IPAddress Changes

This section provides a table showing ZFS Storage Appliance Racked System, Exalogic, andSuperCluster ASR Endpoint IP address changes.

TABLE 17 ZFS Storage Appliance Racked System, Exalogic, and SuperCluster ASR Endpoint IP Address Changes

Service Used By Old IP Address New IP Address

inv-cs.oracle.com ZFS Controllers

Exalogic

SuperCluster

192.18.110.10 129.157.65.14

asr-services.oracle.com ZFS Controllers

Exalogic

SuperCluster

192.18.110.13 129.157.65.13


Implementation Changes to a Customer System

Implementation Changes to a Customer SystemThis section outlines the changes made to a customer's system during the implementation ofOracle Gateway Enabled services, including Platinum Services, Business Critical Servicefor Systems, Lifecycle Support Services, and Advanced Monitoring and Resolution. OracleAdvanced Support Gateway runs Oracle Enterprise Manager Cloud Control to perform itsmonitoring. Oracle Enterprise Manager Cloud Control requires agents to be installed on hosts,and then uses various plug-ins to monitor those devices that cannot be monitored directly. Thissection describes the monitoring method for a device and the configuration to be performed.

Refer to the following sections:

■ “The Monitoring Matrix” on page 41■ “Implementation Impact on the Environment” on page 42■ “Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems

” on page 47

The Monitoring MatrixThis section provides a table of devices and shows how each device is monitored.

TABLE 18 Devices and their Associated Monitoring Methods

Device Monitor

Component CloudControlAgent

Plug-in Target Type SNMP Trap ASR

EngineeredSystem

Exadata Storage Cell No Oracle Exadata Storage Server Yes Yes

EngineeredSystem

Cisco Switch No Oracle Engineered System Cisco Switch Yes No

EngineeredSystem

Infiniband Switch No Oracle Infiniband Switch Yes No

EngineeredSystem

PDU No Oracle Engineered System PDU Yes No

EngineeredSystem

OVS Compute Node No Oracle Engineered System ILOM Server

Oracle Virtual Platform

Oracle Server

Yes Yes

EngineeredSystem

ZFS Array StorageHeads

No Oracle ZFS Appliance No Yes(configuredby thecustomer)



Device Monitor

Component CloudControlAgent

Plug-in Target Type SNMP Trap ASR

Exadata Database Node Yes Oracle Engineered System ILOM Server

Host

Yes Yes

Exalogic Physical ComputeNode

Yes Oracle Engineered System ILOM Server

Host

Yes Yes

Exalogic Exalogic Control VM Yes Host No No

SuperCluster Control Domains Yes Oracle Engineered System ILOM Server

Host

Yes Yes

SuperCluster Logical Domains Yes Yes No (coveredby ControlDomain)

Standalone Server (including otherEngineered System nodes and VMs, forexample: ODA, BDA, Exalytics)

Yes Oracle Engineered System ILOM Server(if Oracle hardware)

Host

Yes Yes

Standalone ZFS Array Storage Heads No Oracle ZFS Storage Appliance No Yes(configuredby thecustomer)

Axiom 600 No Oracle Axiom Yes Yes (CallHomeCustomerConfigured)

Implementation Impact on the Environment

The following sections describe the changes that are made to various types of system during theimplementation process:

■ Systems with an agent deployed. See “All Systems With An AgentDeployed” on page 43.

■ Engineered System. See “Engineered Systems” on page 44■ Engineered System Cisco Switch. See “Engineered System Cisco

Switches” on page 44.■ Engineered System Infiniband Switches. See “Engineered System Infiniband

Switches” on page 45.



■ Engineered System PDU's. See “Engineered System PDU's” on page 45.■ OVS Compute Nodes. See “OVS Compute Nodes” on page 45.■ Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines /

Control Virtual Machines. See “Exalogic Compute Nodes (Physical Implementation) andExalogic Virtual Machines / Control Virtual Machines” on page 46.

■ ZFS Storage Array Storage Heads. See “ZFS Storage Array Storage Heads” on page 46.■ Pillar Axiom 600. See “Pillar Axiom 600 Storage Arrays” on page 47.

All Systems With An Agent DeployedThe following changes are made to every system on which an agent is deployed:

■ An entry is added to the /etc/hosts file for Oracle Advanced Support Gateway■ A new group is created on the operating system (OS) of the monitored server. The default

group name is orarom.■ A new user is created on the ILOM of the monitored server (if applicable). The default

username is orarom.■ A new user is added on the operating system (OS) (orarom) of the monitored server.■ The new OS user is added to the group that owns the Oracle Inventory.■ A new user is added into the group that owns the database diag directories that are listed in

the oratab file (required for monitoring databases and generating ADR packages)■ The Oracle Inventory directory is updated for group read/write permissions■ The Database diag directories are updated for group read/write permissions■ A directory (/opt/OracleHomes) is created for the agent information based on the

information provided in the Service Implementation Worksheet (SIW). The SIW is akey part of the planning, execution, and successful implementation of Oracle SupportedServices.

■ If permission to retain root privileges is given in the configuration worksheet, the sudoers orRBAC files are updated to allow the new OS user to execute commands as root

■ For Linux systems, the group of the /var/log/messages file is changed to the new group(orarom) if the group owner is root.This allows the agent user to be part of a group that can read the file and the group readpermission is granted. The agent user can then monitor the messages file. If the messagesfile is already owned by a different group, the new user is added to that group instead.

■ For Linux systems, the /etc/security/limits.conf file is updated to add the requiredsettings for the new user (orarom) to meet the agent requirements.

■ Agents are pushed from Oracle Advanced Support Gateway to the server using the newuser. The storage requirement for the agent is initially around 5GB.

■ Once the agents have been installed, the root.sh script for the agent is executed.



Root.sh creates or updates /etc/oragchomelist, creates /etc/init.d/gcstartup, creates/etc/init.d/lockgcstartup, and creates /etc/init.d/lockgcstartup.

■ For Solaris systems, the explorer tool may be scheduled to execute once per week at 11pPM on Sunday in root’s crontab.

■ For some Solaris systems, host-based fault telemetry is configured for ASR, either updatingsnmpd.conf or using asradm, and starting the required services.

■ ILOMs are configured to send SNMP traps to Oracle Advanced Support Gateway for allILOM detected faults of level minor or above for ASR.

Note - For Exadata Nodes, the ILOM rules are configured on the operating system of thenode using the Exadata CLIs (cellcli and dbmcli) rather than directly on the ILOM.

Note - For Exalogic Virtual Machines, a further file is copied from the physical host to /var/exalogic/info to define it as part of an Exalogic.

Engineered SystemsAn Engineered System has strict policies not to allow the creation of new users or thedeployment of agents on the OS.

The changes that are made to these systems are performed in three stages:

■ Create a user on the ILOM of the system to allow Oracle to access the ILOM and theconsole of the system during troubleshooting. The default username is orarom.

■ When the system is discovered by Oracle Enterprise Manager Cloud Control, it creates SSHkeys from the monitoring user on the database node(s) to the cellmonitor user within thestorage cell.

■ Update the snmpsubscribers in the cell software to send the traps to Oracle AdvancedSupport Gateway for ASR. This removes any current subscribers that have a type of ASR.

■ Update the notificationpolicy in the cell software to include "critical,warning,clear".■ Update the notificationmethod in the cell software to include snmp.

Engineered System Cisco SwitchesThe Cisco switch that is installed in the racks of an Engineered System is updated to send trapsto Oracle Advanced Support Gateway, and the SNMP server is enabled to send traps. Thecommunity string is entered if not already set.



Engineered System Infiniband Switches

The Infiniband switches that are installed in the racks of an Engineered System are updatedto send traps to Oracle Advanced Support Gateway and a set of SSH keys is created to allowpassword-less login from the monitoring agent to the nm2user on the switch.

The SSH keys for Exadata and SuperCluster systems are configured at discovery time.For the other systems, these are created manually by the installation engineer during theimplementation prior to the target discoveries.

Engineered System PDU's

The PDU modules within the racks of an Engineered System are updated to send traps to OracleAdvanced Support Gateway, and the PDU thresholds are set to generate alerts based on thevalues from Oracle Engineering teams.

OVS Compute Nodes

The Oracle Virtual Server operating system that is used within an Engineered System that isrunning the virtualized stack has strict policies that do not allow the installation of agents on tothe systems. These nodes will have the ILOMs configured to send traps to the OASG for ASR.A user (orarom) will be created on the OVS Server and granted the following privileges in thesudoers file:

<user> ALL=/usr/sbin/xentop, /usr/sbin/dmidecode, /sbin/ethtool, /usr/bin/xenstore-ls, /usr/bin/xenstore-read, /usr/bin/xenstore-list, NOPASSWD: /usr/

sbin/xl, /usr/bin/ipmitool, /usr/sbin/xm, /usr/sbin/imageinfo

This list of commands is used by the Oracle Virtual Platform and Oracle Server target types toread information about the system and relay the information to OEM.

Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted.



Exalogic Compute Nodes (PhysicalImplementation) and Exalogic Virtual Machines /Control Virtual Machines

These types of system have limited storage space on the root filesystem. Installing an agent onthe root filesystem is deemed to put this limited space at risk. The implementation for thesesystems creates a project on the internal ZFS storage array in the rack and creates a filesystemfor each node or VM that has an agent installed.

The installation on the node/VM will then perform the following:

■ Update the (v)fstab to ensure the filesystem is mounted from the ZFS storage array at boottime.

■ Mount the filesystem on the required directory.■ Install and configure the Exalogic Lifecycle Toolkit, release 14.2.

Refer to the Exalogic Lifecycle Tools Note 1912063.1 on the My Oracle Support(MOS) website at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1912063.1.

■ A user (orarom) will be granted the following privileges in the sudoers file:

<user> ALL==/usr/sbin/dmidecode, /sbin/ethtool, NOPASSWD: /usr/bin/ipmitool, /usr/sbin/imageinfo

Note - The profile may be updated if the option for Oracle to retain sudo privilege isgranted.

ZFS Storage Array Storage Heads

The ZFS arrays are appliances that cannot have agents installed on them. Consequently, they aremonitored from another agent using a specific monitoring user. The changes that are carried outon both of the storage heads in a cluster are as follows:

■ Execute the workflow “Configure for Oracle Enterprise Manager”. This always has therecreateWorksheet setting enabled. If the oracle_agent user and role are already created,then the recreateUser setting is not enabled. Otherwise it is enabled. If the user is set to berecreated, the password used is a strong, randomly generated, 16-character password.


https://support.oracle.com/epmos/faces/DocumentDisplay?id=1912063.1

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1912063.1


Note - The customer can change the password on the oracle_agent user without affectingthe Oracle monitoring solution.

■ Create a new user for the Oracle monitoring solution using the role oracle_agent created bythe above workflow. The default username is orarom, but the name is customizable from theService Implementation Worksheet (SIW).

■ Enable advanced_analytics for the new user created above.

Pillar Axiom 600 Storage ArraysThe Axiom 600 storage array is an appliance that cannot have an agent installed on it.Consequently, it is monitored from another agent using a plug-in. A new user is created with aMonitor role for the plug-in to perform the connection and obtain the information. The defaultusername is orarom, but the name is customizable from the Service Implementation Worksheet(SIW).

Utilization Impact Risk of OEM Cloud ControlAgent on Monitored SystemsOracle's implementation is designed to be a low risk deployment using scripts to ensureconsistent deployments across all customer implementations. Furthermore, the implementationis validated for monitoring within Oracle test systems. Oracle makes no changes to customerapplications or files outside of the steps described in the relevant sections on impacts on theenvironment above.

The table below outlines the utilization impact that OEM has on the monitored systems.

TABLE 19 Utilization Impact of Oracle Enterprise Manager Cloud Control Agent on MonitoredSystems

Overhead Impact of the Oracle Tools in the Environment

Metric OEM 12c

CPU Utilization The OEM 12c Agent uses from 0.02% to 1% of CPUutilization.

The agent may utilize more CPU cycles, depending onthe number of processes or applications monitored.

Memory Utilization The OEM 12c Agent needs from 1GB to 2GB RAM tooperate correctly.


Server Prerequisites for Monitoring Deployment

Overhead Impact of the Oracle Tools in the Environment

Metric OEM 12cThe actual memory utilization of the agent variesdepending on the number of processes or applicationsmonitored.

Disk Space Utilization The OEM agent requires at least 2GB of free disk spacefor the installation files.

After installation is complete, the installation files areremoved. The installed OEM agent requires about 1GBof space initially. As the agent operates, disk spacegradually increases up to 5GB.

Backout Plan

If it is necessary for the installation to be rolled back, Oracle will:.

■ Shutdown the agents that have been configured;

■ Work with the customer to schedule a maintenance window to remove the agents and trapdestinations for all the devices configured for monitoring.


This section outlines the methods used to provide Oracle with the necessary server access forimplementing monitoring on the Gateway. Refer to the following:

■ “Server Prerequisites for Monitoring Deployment” on page 48■ “Monitoring Access: an Overview” on page 49.■ “User Privileges” on page 49■ “Solaris 11 Initial Setup User RBAC Profile” on page 51■ “Solaris 10 Initial Setup User RBAC Profile” on page 53■ “Solaris sudo Profile” on page 54■ “Linux sudo Profile” on page 55


For services that are performed using Oracle Enterprise Manager (OEM), agents must bedeployed to the systems. These systems must meet the pre-requisites for an EM agent as



described in the Package Requirements for Oracle Management Agent section of OracleEnterprise Manager Cloud Control Basic Installation Guide.

Monitoring Access: an OverviewIn general, there are three methods for providing Oracle the necessary access for implementingmonitoring:

■ Provide root access to all systems.■ Enable access using Role-based Access Control (RBAC). RBAC is a security feature

for controlling user access to tasks that would normally be restricted to the root role.By applying security attributes to processes and to users, RBAC can divide superusercapabilities among several administrators. This option is applicable only to systems runningthe Solaris operating system.

■ Provide access via sudo (superuser do). sudo is a program for operating systems suchas Linux and Solaris that allows users to run programs as another user- normally as thesystem’s superuser (root) - as specified in the /etc/sudoers file. This section outlines themethods used to provide Oracle with the necessary access for implementing monitoring onthe Gateway.

During activation of database services, the following users and accounts are used to monitor thedatabase:

■ For storage/cluster monitoring, the user asmsnmp is used;■ For database monitoring, the user dbsnmp is used;■ For standby database monitoring, the user sysdba is used.

Note - Passwords for all of the above users must be available during installation. They canbe entered by the customer into the Oracle Advanced Support Gateway user interface whenneeded.

User PrivilegesOracle requires that the user can execute the following commands using root privileges:

■ <Service EM Base Directory>/agent_home/core/12.1.0.5.0/root.sh

■ <Service EM Base Directory>/agent_home/core/12.1.0.4.0/root.sh

■ /opt/exalytics/asr/bda_mon_hw_asr.pl (Exalytics only)■ /opt/oracle/oak/bin/oakcli (Oracle Database Appliance only)■ /opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl (Exadata only)


http://docs.oracle.com/cd/E73210_01/EMBSC/GUID-059D95F7-0326-4E0D-9470-6675C1891BA9.htm#EMBSC133


■ /opt/oracle.cellos/imageinfo (Exadata only)■ /opt/exalogic/usr/sbin/imageinfo (Exalogic only)■ /opt/oracle/dbserver/dbms/bin/dbmcli (Exadata and ZDLRA only)■ /opt/oracle/bda/bin/imageinfo (Big Data only)■ /opt/oracle/bda/bin/imageinfo (Big Data only)■ /opt/ipmitool/bin/ipmitool (Solaris only)■ /opt/ipmitool/sbin/ipmitool (Solaris only)■ /usr/bin/chmod

■ /usr/bin/chown

■ /usr/bin/chgrp

■ /usr/bin/crontab (Solaris only)■ /usr/bin/cp

■ /usr/bin/ex

■ /usr/bin/ipmitool

■ /usr/bin/grep

■ /usr/bin/ls

■ /usr/bin/mkdir

■ /usr/bin/rmdir

■ /usr/bin/passwd

■ /usr/bin/profiles (Solaris 11 only)■ /usr/bin/vim

■ /usr/bin/xenstore-list

■ /usr/lib/fm/notify/asr-notify (Solaris 11 only)■ /usr/sbin/dbmcli (Exadata and ZDLRA only)■ /usr/sbin/dmidecode (Linux only)■ /usr/sbin/groupadd

■ /usr/sbin/svcadm (Solaris only)■ /usr/sbin/useradd

■ /usr/sbin/usermod

■ /usr/sbin/xm

The user provided for the initial setup can be removed once the monitoring has been deployedand the agent user has been created. The agent user can be a user defined within a namingservice and a home directory mounted from an NFS server. However, the agent installationdirectory must be unique to each server to be monitored. If the agent user is configured as partof a naming service, then the user must belong to the group that owns the Oracle inventory onall of the servers. The deployment scripts will verify and enforce group write permissions on



any Oracle inventory directory that is discovered by using the /etc/oraInst.loc or the /var/opt/oracle/oraInst.loc files.

User Privileges for Exalogic Systems

If the user is part of a naming service and NFS mounts are to be defined (Exalogic systemsrequire NFS mounts), use NFSv4 rather than NFSv3. The configuration of NFSv4 is outsidethe scope of this service, but the new mounts are defined with the NFSv4 options, and thefollowing extra command must be added to the security profile, depending on OS:

■ /usr/sbin/mount (Linux)■ /sbin/mount (Solaris)

Note - The command paths are related to Solaris. For the Linux paths, please refer to thesudo settings for Linux.

Solaris 11 Initial Setup User RBAC ProfileThe user for the initial setup requires a profile built from the following configuration file:

set desc="ACS Service Profile"

add cmd=<Service EM Base>/agent_home/core/12.1.0.5.0/root.sh

set uid=0

end

add cmd=<Service EM Base>/agent_home/core/12.1.0.4.0/root.sh

set uid=0

end

add cmd=/opt/oracle.cellos/imageinfo

set uid=0

end

add cmd=/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl

set uid=0

end

add cmd=/opt/ipmitool/bin/ipmitool

set uid=0

end

add cmd=/opt/ipmitool/sbin/ipmitool

set uid=0

end

add cmd=/usr/bin/chmod

set uid=0

end

add cmd=/usr/bin/chown

set uid=0



end

add cmd=/usr/bin/chgrp

set uid=0

end

add cmd=/usr/bin/crontab

set uid=0

end

add cmd=/usr/bin/cp

set uid=0

end

add cmd=/usr/bin/ex

set uid=0

end

add cmd=/usr/bin/vim

set uid=0

end

add cmd=/usr/bin/grep

set uid=0

end

add cmd=/usr/bin/ls

set uid=0

end

add cmd=/usr/sbin/groupadd

set uid=0

end

add cmd=/usr/bin/mkdir

set uid=0

end

add cmd=/usr/bin/rmdir

set uid=0

end

add cmd=/usr/bin/passwd

set uid=0

end

add cmd=/usr/bin/profiles

set uid=0

end

add cmd=/usr/lib/fm/notify/asr-notify

set uid=0

end

add cmd=/usr/sbin/svcadm

set uid=0

end

add cmd=/usr/sbin/useradd

set uid=0

end

add cmd=/usr/sbin/usermod

set uid=0



end

add cmd=/opt/exalogic/usr/sbin/imageinfo

set uid=0

end

If Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount isconfigured by Oracle, and the user must also have the following command added to the profile:

add cmd=/sbin/mount

set uid=0

end

To create the profile from the configuration file above, perform the following as root or as auser with permission to create new profiles:

profiles -p <Profile name> -f <configuration file>

usermod -P +<Profile name> <user>

This provides the required level of access to perform the creation of the user and groupdirectories, as well as setting the permissions on the Oracle inventory.

Solaris 10 Initial Setup User RBAC Profile

Solaris 10 RBAC configuration is controlled through files located in the /etc/securitydirectory. Append the following lines to the exec_attr file:

ACSSINITIAL:solaris:cmd:::<Service EM

Base>/agent_home/core/12.1.0.5.0/root.sh:uid=0

ACSSINITIAL:solaris:cmd:::<Service EM

Base>/agent_home/core/12.1.0.4.0/root.sh:uid=0

ACSSINITIAL:solaris:cmd:::/opt/ipmitool/bin/ipmitool:uid=0

ACSSINITIAL:solaris:cmd:::/opt/ipmitool/sbin/ipmitool:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/chmod:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/chown:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/chgrp:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/crontab:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/cp:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/ex:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/vim:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/grep:uid=0

ACSSINITIAL:solaris:cmd:::/usr/sbin/groupadd:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/ls:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/mkdir:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/rmdir:uid=0

ACSSINITIAL:solaris:cmd:::/usr/bin/passwd:uid=0



ACSSINITIAL:solaris:cmd:::/usr/sbin/svcadm:uid=0

ACSSINITIAL:solaris:cmd:::/usr/sbin/useradd:uid=0

ACSSINITIAL:solaris:cmd:::/usr/sbin/usermod:uid=0


ACSSINITIAL:solaris:cmd:::/sbin/mount:uid=0

Append the following line to the prof_attr file:

ACSSINITIAL:::Oracle Install Profile:

Once these entries have been added, update the user that will be used for the initial installationto allow access to the profile:

usermod -P ACSSINITIAL <user>

Solaris sudo Profile

For Solaris users, add the following entries to the sudoers file:

Cmnd_Alias ACSSINSTALL = /usr/bin/chmod, /usr/bin/chown, \

/usr/bin/chgrp, /usr/bin/crontab, /usr/bin/cp, \

/usr/bin/ex, /usr/bin/grep, /usr/sbin/groupadd, \

/usr/bin/ls, /usr/bin/mkdir, /usr/bin/passwd, \

/usr/bin/profiles, /usr/lib/fm/notify/asr-notify, \

/usr/bin/rmdir, /usr/sbin/svcadm,/usr/sbin/asradm, \

/usr/sbin/useradd, /usr/sbin/usermod, \

<ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\


/opt/ipmitool/bin/ipmitool, /opt/ipmitool/sbin/ipmitool, \

/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \

/opt/oracle.cellos/imageinfo, \

/opt/exalogic/usr/sbin/imageinfo

<user> ALL=(ALL) ACSSINSTALL

The user must also have the sudo binary in their path to allow it to execute without a full path.

If the OEM agents are installed using an NFS mount that is to be configured by Oracle, then theuser must also have the following command alias created as assigned to the user:

Cmnd_Alias ACSSHAREDINSTALL = /sbin/mount

<user> ALL=(ALL) ACSSHAREDINSTALL


Storage Prerequisites for Monitoring Deployment

Linux sudo Profile

For Linux users, add the following entries to the sudoers file:

Cmnd_Alias ACSSINSTALL = /bin/chmod, /bin/chown, \

/bin/chgrp, /bin/cp, /bin/ex, \

/bin/grep, /bin/ls, /bin/mkdir, /bin/rmdir, \

/opt/exalytics/asr/bda_mon_hw_asr.pl, \

/usr/bin/passwd, /usr/sbin/groupadd, \

/usr/sbin/useradd, /usr/sbin/usermod, \

/usr/bin/ipmitool, /usr/bin/xenstore-list, \

/opt/oracle/oak/oakcli, /usr/sbin/dmidecode, \

/opt/exalytics/asr/bda_mon_hw_asr.pl, \



/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \

/opt/oracle.cellos/imageinfo, \

/opt/oracle/dbserver/dbms/bin/dbmcli, \

/opt/exalogic/usr/sbin/imageinfo, \

/usr/sbin/imageinfo, /usr/sbin/xm, \

/opt/oracle/bda/bin/imageinfo

<user> ALL=(ALL) ACSSINSTALL

The user must also have the sudo binary in their path to allow it to execute without a full path.


Cmnd_Alias ACSSHAREDINSTALL = /bin/mount

<user> ALL=(ALL) ACSSHAREDINSTALL


This section outlines storage requirements for the monitoring deployment. Refer to thefollowing sections:

■ “Monitoring Deployment: an Overview” on page 56■ “Oracle ZFS Storage Appliances” on page 56



Monitoring Deployment: an Overview

The storage systems do not have the same privilege promotion capabilities as the servers do;each storage system has a different method of granting access privileges. There are 3 options toprovide Oracle with the necessary access for implementing monitoring:

■ Provide administrator access to the system.■ For some systems, create a user with the necessary privileges for Oracle to configure a new

user for monitoring.■ Create the monitoring user per the system requirements.

For information on which options are available for the various storage systems, refer to thefollowing sections.

Oracle ZFS Storage Appliances

The information in the following sections defines the properties for the users used in thedeployment of monitoring and the standard monitoring users. Further privileges are required forpatching the systems during a patch cycle. Refer to the following sections:

■ “Restricted User for Monitoring Deployment (AKSH Shell)” on page 56■ “Monitoring User Requirements” on page 57■ “Restricted User for Monitoring Deployment User (ILOM)” on page 57■ “Monitoring User Requirements (ILOM)” on page 57

Restricted User for Monitoring Deployment (AKSH Shell)

You can create a user with the following privileges to be used during the monitoringdeployment:

TABLE 20 Privileges for a Restricted User for Monitoring Deployment

Object Permissions

worksheet.*.* modify

stat.* ■ read■ create

user.* ■ changePassword■ changePreferences■ changeProperties■ changeRoles


Audit Logging

Object Permissions■ create

workflow.*.* read

role.* ■ changeAuths■ changeDescription■ create

Monitoring User Requirements

You can create the monitoring user using the following high level steps:

■ Execute the workflow outlined in the section “Configure for Oracle Enterprise ManagerMonitoring”, ensuring to select creation of the worksheet.

■ Create a new user for monitoring.■ Assign the oracle_agent role to this user.■ Set the preferences for the user to enable Advanced Analytics.■ Add the stat.* create authorization to the oracle_agent role.

Restricted User for Monitoring Deployment User (ILOM)

You can create a user with the role of u to allow Oracle to create a new user for use with themonitoring.

Monitoring User Requirements (ILOM)

In order to provide monitoring and diagnostic collection on the ZFS ILOM, including initiatingan NMI to the host, the monitoring user requires the permissions cro.

Audit Logging

The audit logging feature of Oracle Advanced Support Gateway provides audit information forthree different categories of system events. The three categories are:

■ Outbound network connections: The Linux firewall service (iptables) triggers notificationsfor all outbound network traffic with the exception of traffic to Oracle managed hosts usedfor monitoring and management (for example, Oracle VPN end points, dts.oracle.com,support.oracle.com).


Audit Logging

■ Outbound login activity: The Linux auditing service (auditd) triggers notifications for alloutbound login attempts initiated from Oracle Advanced Support Gateway. This is doneby monitoring usage of the ssh and telnet system binaries. Oracle Advanced SupportGateway sends a message that ssh or telnet has been used, by which user, and when. Thedestination is not provided. auditd logs contain that information. auditd logs are not directlyaccessible by the customer on Oracle Advanced Support Gateway.

■ Inbound Oracle Advanced Support Gateway User Login Activity: The Linux auditingservice (auditd) triggers notifications each time any of the system logs used for trackinglogins is updated. This includes failed logins and successful login attempts. It also triggersa notification each time a user logs in from a remote system. These activities are monitoredusing auditd and forwarded to the customer's central logging system.

All audit notifications are delivered using standard syslog protocol. A central logging systemmust be provided to accept and process these messages.

The format of most of these messages is based on auditd. They can be managed using variousauditd and related utilities.

The audit logging feature is disabled by default, and must be explicitly enabled through theOracle Advanced Support Gateway command line interface (CLI). The details of how toconfigure this feature are explained in the following section:

Initial Login

1. Use ssh to connect to Oracle Advanced Support Gateway.Use the customer administrator account configured at installation time or any other userwith the customer administrator role.

2. At the first (CLI or CLISH) prompt, enter the password.3. At the next prompt enter configure terminal.4. At the next prompt enter syslog.

You are now in the syslog-specific section of the Oracle Advanced Support Gateway CLIwhere you can configure forwarding.

Available Commands

Command Description

help Display a list of available commands.

? Provide a brief explanation of how to enter commands in the CLI.

stat Display the current configuration.

This produces a display similar to the following:

------------- SyslogBroadcaster Configuration ------------

Message Forward Status = enabled


Audit Logging

Command DescriptionHost IP Address = 1.2.3.4

Host Port Number = 514

Host Time Zone = GMT

firewall Message Forward = enabled

ssh Message Forward = enabled

session Message Forward = enabled

UID/GUID MapICMP Type 0 and 8 = enabled

-----------------------------------------------------------

forward enable Enable syslog forwarding.

forward disable Disable syslog forwarding.

ip <ip address> Enter the IP address of the remote syslog server (the one receiving the forwardedmessages.)

You must enter a valid IP address, not a host name.

port <port number> Change the port used for forwarding syslog messages.

timezone <value> Set the time zone used in the forwarded syslog messages.

The value must be in the range -12 to +12 which is the offset from Greenwich MeanTime (GMT.)

mapping enable

mapping disable

Convert the UID and GUID contained in each message to the corresponding UNIXuser and group name.

Enabling and Disabling Logging MessagesThis section outlines the commands to enable and disable logging messages, and providesexamples of the resulting messages.

In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname).In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced withuid=0 and gid=0.

Any combination of the following three categories can be enabled or disabled.

Outbound Network Connectivity

■ To enable or disable this type of message forwarding:

firewall enable

firewall disable

These messages are generated by iptables and represent all outbound network traffic with theexception of traffic to known addresses used for Oracle monitoring.

The following example shows messages as they are seen on the system that receives theforwarded syslog messages.


Audit Logging

Result from an nslookup command:

Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA:

sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=jsmith GID=admin

Result from an ssh command:

Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA:

sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=jsmith GID=admin

Outbound Login Activity


ssh enable

ssh disable

The following example shows a message as it is seen on the system that receives the forwardedsyslog messages.

Result from an ssh command:

Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA:

sample-host audispd: node=sample-host type=SYSCALL

msg=audit(1437567767.027:17839321): arch=c000003e syscall=59

success=yes exit=0 a0=124e030 a1=123d7f0 a2=1246d90 a3=10

items=2 ppid=22614 pid=25252 auid=54373 uid=jsmith gid=admin euid=54373

suid=54373 fsuid=54373 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594

comm="ssh" exe="/usr/bin/ssh"

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

key="gateway_audit"

Oracle Advanced Support Gateway User Login Activity


session enable

session disable

The following examples show messages as they are seen on the system that receives theforwarded syslog messages.

Example of ssh being invoked on Oracle Advanced Support Gateway:

Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1


Managing ASR Audit Logs

NA: sample-host audispd: node=sample-host type=SYSCALL

msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes

exit=0 a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2

ppid=1428 pid=12967 auid=4294967295 uid=jsmith gid=admin euid=0 suid=0 fsuid=0

egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"

exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023

key="SESSION"

Result from an su command on Oracle Advanced Support Gateway:

Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1

NA: sample-host audispd: node=sample-host type=SYSCALL

msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes

exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1

ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0

egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su"

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

key="SESSION"


This section describes how to manage Oracle Auto Service Request (ASR) audit logs for OracleAdvanced Support Gateway. It includes the following topics:

■ “About ASR Audit Logs” on page 61■ “Viewing ASR Audit Logs” on page 61■ “Downloading ASR Audit Logs” on page 62

About ASR Audit Logs

Oracle Auto Service Request (ASR) allows customers to restore system availability if ahardware fault occurs. ASR is a secure, expedited diagnostic process with automatic servicerequest generation, priority service request handling, and automatic parts dispatch.You canmaintain an ASR audit log that enables you to view, download, and search for audits.

Viewing ASR Audit Logs

The ASR Audit Log page enables you to view and maintain all of your organization’s OracleAdvanced Support Gateway ASR log entries, and to download cached log files.



To view ASR audit log entries:

1. Log in to Oracle Advanced Support Gateway.The Oracle Advanced Support Gateway Home page appears.

2. From the Gateway menu, click ASR Audit Log.The ASR Audit Log page appears, displaying the following information for all entries in theASR Log Entries table:

TABLE 21 Field Definitions in the ASR Log Entries Table

Property Definition

# The number of the ASR log entry.

Time The time at which the ASR log entry was made.

UUID The UUID associated with the ASR log entry.

Site ID The site ID at which the ASR log entry was made.

Host ID The host ID at associated with the ASR log entry.

System ID The system ID associated with the ASR log entry.

Asset ID The asset ID associated with the ASR log entry.

Product Name The product name associated with the ASR log entry.

Status Indicates whether the ASR log entry status is:

■ Sent: The ASR log entry has been delivered to Oracle ASR Infrastructure

Downloading ASR Audit Logs

The ASR Audit Log page enables you to download cached log files.

To download ASR log entries:

1. Log in to Oracle Advanced Support Gateway.The Oracle Advanced Support Gateway Home page appears.

2. From the Gateway menu, click ASR Audit Log.The ASR Audit Log page appears.

3. Click Download Log Files.A list of timestamped ASR audit logs appears.

4. Click the required log to download it.5. Save the log to the required location.


oracle® advanced support gateway security guide · oracle® advanced support gateway security...

Documents