1
<Insert Picture Here>
Oracle Enterprise Manager Security Best Practices
Huaqing Wang, Senior Product Manager, OracleRavi Pinnamaneni, Consulting Member of Technical Staff, Oracle
3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4
<Insert Picture Here>
Agenda
• Oracle Enterprise Manager Overview• Security Best Practices• Managing Enterprise Manager Security
using Enterprise Manager • Q & A• Appendix
5
<Insert Picture Here>
Agenda
• Oracle Enterprise Manager Overview• Security Best Practices• Managing Enterprise Manager Security
using Enterprise Manager • Q & A• Appendix
6© 2010 Oracle Corporation 6
Business-Driven IT Management
7
Enterprise Manager Security CertificationCommon Criteria EAL 4+
• Enterprise Manager security feature development process rigorously vetted and certified by independent government agency
• Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC-0621-2010 on Aug., 27, 2010
• Comprehensive evaluation process took 2+ years to complete
• EAL4+ is highest mutually recognized level among governments worldwide
8
Oracle Enterprise Manager Architecture Overview
• Oracle Management Agent (Management Agent)– An integral software component deployed on each monitored host– Responsible for monitoring and managing the hosts and all the targets running on those
hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS)
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
9
Oracle Enterprise Manager Architecture Overview
• Oracle Management Service (OMS)– J2EE Web application that orchestrates with Oracle Management Agents to discover
targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis
– Renders the user interface for the Grid Control Console
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
10
Oracle Enterprise Manager Architecture Overview
• Oracle Management Repository (Management Repository)– An Oracle database where all the information (metrics, configurations, etc.)
collected by the Oracle Management Agents gets stored
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agents
Grid Control Console
11
Oracle Enterprise Manager Architecture Overview
• Grid Control Console– A web user interface from where you can monitor and administer your entire
computing environment
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
12
<Insert Picture Here>
Agenda
• Oracle Enterprise Manager Overview• Security Best Practices• Managing Enterprise Manager Security
using Enterprise Manager • Q & A• Appendix
13
Enterprise Security Considerations and Threats
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
14
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
Enterprise Security Considerations and Threats
• Data confidentiality and integrity– Not disclosed to any entities unless they are authorized to access– Not changed, destroyed, or lost in unauthorized or accidental manner
• Man-in-the-Middle attacks– Interrupts, intercepts, modifies or fabricates data in transit
Interrupted/Stolen
Management Agent OMS
15
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
Enterprise Security Considerations and Threats
• Data Availability– Available and usable upon demand by an authorized entity
• Denial-of-Service attacks– Makes Management Repository or OMS unavailable to intended users by
flooding them with more requests than they can handle–
Management Agent
OMS
Hacker
16
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
Enterprise Security Considerations and Threats
• Authentication– The process to verify the identity, usually username and password, claimed
by a user
• Password crack attacks– Obtains password from an authentication exchange, then uses the
password to log on to Enterprise Manager Grid Control• For examples: guess, dictionary and brute force attacks
17
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
Enterprise Security Considerations and Threats
• Segregation of duties– No person should be given responsibility for more than one related
function
• Exploitation of authorization– Accesses resources (targets, jobs, templates and so on) that he/she
should not be authorized to
18
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
Enterprise Security Considerations and Threats
• Non-repudiation– Network security: Neither sender nor recipient can later deny having
processed the information– Web Application security: No one can later deny the actions he/she
has taken in the application
• Repudiation– Refuses authoring of something that happened
19
Oracle Enterprise Manager Security Overview
1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’s
3. Security of target authentications
20
Enterprise Manager Infrastructure Security
• Enterprise Manager Infrastructure Security– Securing individual Enterprise Manager
components– Securing communication
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
21
Infrastructure Security Best Practices Securing Enterprise Manager Components
• Harden the machines on which OMS and Management Repository reside– Remove unsecure services such as FTP, telnet,
rlogin and so on– Close UDP and TCP ports for services that are
disabled
• Apply all security patches– Always apply latest relevant CPUs for OS, Oracle
Database, Oracle Weblogic Server, OMS and Agents
• Use privilege delegation tool such as sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes– Disable owner account , “oracle”, direct log in to
hosts– Allow normal users to perform administrative
tasks without disclosing password of privileged user
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
22
Infrastructure Security Best PracticesOracle Management Repository
• Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist)– Restrict operation system access
• Limiting the number of OS users with access on Oracle Database host
• Restricting the ability for these users to modify the default file/directory permissions of Oracle Home
– Restrict network access to the Repository• Check Network IP Address to allow the access to
Oracle Database only from authorized nodes– Configure $TNS_ADMIN/protocol.ora file
• tcp.validnode_checking=yes• tcp.included_nodes={list of IP
addresses}– If Repository is the only database on the host, we
can limit the nodes to OMS nodes only
– Please refer to the link for more information http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
23
Infrastructure Security Best PracticesOracle Management Service
• Follow best practices for securing Oracle Weblogic Server (Securing the Production Environment for Oracle Weblogic Server)– Protect WebLogic Server Home directory
especially domain directory which contains configuration files, security files, log files and other Java EE resources for the Weblogic domain.• Grant only one OS user who runs Weblogic Server
the access privilege to the directory
– Create no fewer than two user accounts with system administrator privileges• To ensure one user maintains account access in
case another user becomes locked out by a dictionary/brute force attack
– Please refer to http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf for more information
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
24
Infrastructure Security Best PracticesOracle Management Agent
• Deploy agent via pushing agents from OMS– Secure Shell (SSH) protocol is used
in this approach, which ensures the confidentiality and integrity of agent installation
• Use complex one-time registration passwords with reasonable expiry date– Registration password combined with
random keys generated by OMS and agent is used to produce agent key to register and secure the agent
– Protect against the possibility of unauthorized agents accessing OMS
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
25
Oracle Enterprise Manager Security Overview
• Enterprise Manager Infrastructure Security– Securing individual Enterprise Manager
components– Securing communication
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
26
Infrastructure Security Best PracticesSecuring Communication Overview
• Various communications within Enterprise Manager– Between OMS and agent (Bidirectional)– Between browsers and OMS– Between OMS and Management
Repository– Between OMS and targets
• Communications in firewall environments
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
Firewall
Firewall
Firewall
27
Infrastructure Security Best PracticesSecuring Communication Between OMS and Agents
• Securing communication between OMS and Agents (Bidirectional)– It is secure locked out-of-box (10.2.0.5 and
after), which means the communication is only over HTTPS
– Security aspects of communication over HTTPS• What secure protocol is used
– Secure Socket Layer (SSL) v3 – Transportation Layer Security (TLS) v1
• What strong cipher suites are used• Is certificate from well-known Certificate
Authority (CA)
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
28
Infrastructure Security Best PracticesSecuring communication
• Enable TLS v1 only for communication between OMS and Management Agents– OMS:
• emctl stop oms • emctl secure oms -protocol TLSv1 • Append -
Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh.
• emctl start oms
– Agent: • Update
$Agent_Home/sysman/config/emd.properties– allowTLSonly=true
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
TLS v1
29
Infrastructure Security Best PracticesSecuring Communication Overview
• Various communications within Enterprise Manager– Between OMS and agent (Bidirectional)– Between browsers and OMS– Between OMS and Management
Repository– Between OMS and targets
• Communications in firewall environments
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
Firewall
Firewall
Firewall
30
Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls
• Firewalls are commonplace in most mature and modern IT infrastructures
• Two areas where Enterprise Manager and firewalls will interact– Navigate between Enterprise Manager
components separated by firewalls– Communicate with managed targets that
are behind firewalls
• Enterprise Manager is designed to cope with both cases but….– …this is one of the least understood
areas when deploying Enterprise Manager in a secure environment
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
Firewall
Firewall
Firewall
31
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Best Practices:– Get firewalls into first design of the solution
• Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment, e.g., – HTTP/HTTPS for communication between
OMS and Agents– SQL*Net for the communication between
OMS and Oracle Database targets– ICPM and UDP for the communication
between beacons and managed targets• Consider placement of OMSs when laying down
your Enterprise Manager topology
– Work closely with the network team on design of groups and Access Control List (ACL) for groups of targets
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
Firewall
Firewall
Firewall
32
Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls
• Lots of different permutations with Enterprise Manager when dealing with Firewalls….– Configuring agents on a host
protected by a firewall– Configuring OMS on a host protected
by a firewall– Firewalls between OMS and OMR– Firewall between your browser and
Grid Grid Control– Firewalls between the Grid Control
and a managed database target– Firewalls used with multiple OMS– ……
• Let’s take a tour through some of these
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
Firewall
Firewall
Firewall
33
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure Oracle Management Agent on a host protected by a firewall– Configure Oracle Management Agent to use
proxy server for its upload to OMS• Update the following parameters in file
$AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domainREPOSITORY_PROXYPORT =port
• If authentication is required, edit the following parameters as wellREPOSITORY_PROXYREALM=realmREPOSITORY_PROXYUSER=proxyuserREPOSITORY_PROXYPWD=proxypassword
– Configure firewall to allow inbound communication from OMS to Agent• Port 3872 (default)
• Port range1830-1849 (non-default)
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
Firewall
Oracle Management
Agent
34
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure Oracle Management Service on a host protected by a firewall– Configure OMS to use proxy server for its
communication to agents outside the firewall• Update the following OMS properties via emctl
set property command:– emctl set property –name <property> -
value <value>PROXYHOST=proxyhostname.domainPROXYPORT =port
• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor = hostname1,hostname2
– Configure firewall to allow inbound communication from Agents to OMS• Default HTTP/HTTPS Ports: 4889/1159• Non-default port range 4890-4897/4898-4908
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
Firewall
35
Oracle Enterprise Manager Security Overview
1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’s
3. Security of target authentications
36
Authentication, Authorization and Auditing The Three A’s
• Authentication– Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc.
• Audit– Keeps track of the actions happened
within Enterprise Manager to prevent repudiation
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
View Reports
Blackout Targets
Submit Jobs
Manage Metrics
Manage Alerts
……
Authentication
37
Authentication, Authorization and Auditing The Three A’s
• Authentication– Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc.
• Audit– Keeps track of the actions happened
within Enterprise Manager to prevent repudiation
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
View Reports
Blackout Targets
Submit Jobs
Manage Metrics
Manage Alerts
……
Authentication
38
The Three A’s Best PracticesAuthentication
• Repository-based authentication (Default)– Use password profile to enforce the
password control such as password complexity, failed login attempt, password reuse max, password life time, etc.
• Leverage Grid Control user authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS) – Simplify the identity management
across the enterprise– Both SSO and EUS enable your users
to authenticate to Grid Control by using their credentials stored in LDAP server
Oracle Enterprise Manager
Oracle Management
Repository(OMR)
OSSO
LDAP Server
EUSDefault
39
The Three A’s Best PracticesAuthentication
• Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository
UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’-1’WHERE user_name=’SYSMAN’
• If you want to enable SYSMAN logging into Grid Control Console later on: UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’1’WHERE user_name=’SYSMAN’
• Change password for both SYSMAN and MGMT_VIEW on a regular basis – Prevent password crack attacks– emctl config oms -change_repos_pwd -change_in_db – emctl config oms –change_view_user_pwd
40
Authentication, Authorization and Auditing The Three A’s
• Authentication– Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc.
• Audit– Keeps track of the actions happened
within Enterprise Manager to prevent repudiation
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
View Reports
Blackout Targets
Submit Jobs
Manage Metrics
Manage Alerts
……
Authentication
41
The Three A’s Best Practices Authorization Overview
• Two-step authorization process enables fine-grained access and segregation of duties:– Enterprise Manager authorization
• Controls the access to the resources and functionalities within Enterprise Manager– Manage target metrics thresholds– Set alert notification rules– Enable/disable Enterprise Manager packs
– Target authorization• Controls the access to the resources and
functionalities within the target– CREATE new TABLE– Back-up database – Tune SQL
• Enforced by target security model• Depends on the credential used to connect to the
target
Oracle Enterprise Manager
Enterprise Manager Authorization
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
View Reports
Blackout Targets
Submit Jobs
Manage Metrics
Manage Alerts
……
Oracle Enterprise Manager
Target
Target Target
Target
Target
Connect to target
Target Authorization
42
The Three A’s Best Practices Authorization Overview
• Example:– Create new user, SQLTuningDBA, who is only
responsible for tuning 2 of 100 managed database targets• Enterprise Manager authorization
– Create EM user SQLTuningDBA– Grant VIEW Target Privilege on the 2 DB targets of
interest• Target authorization
– Target credentials used should have the following database privileges• select_any_catalog• administer sql tuning set• execute on dbms_workload_repository
Oracle Enterprise Manager
Connect as database user A
Database 1 Database 2
Databases
SQLTuning DBA
Connect as database user B
43
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the new user be?
• Normal Enterprise Manager Administrator– Has NO access to
anything unless granted privileges
• Super Administrator– Has FULL privileges on
all targets and the ability to create Super Administrators
44
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the new user be?
What System Privilege(s) should the user have?
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able
to VIEW any targets– Should the user be able
to ADD new targets?
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
45
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator should the new user be?
What System Privilege(s) should the user have?
• Should the user only be able to monitor the databases of his own department?
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able to VIEW any
targets– Should the user be able to ADD new
targets?
What target should the user be able to access?
46
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the new user be?
What System Privilege(s) should the user have?
• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able
to blackout target 1, 2 and 3?
– Should the user be able to change metric threshold setting for target 4, 5 and 6?
• Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able to VIEW any
targets– Should the user be able to ADD new
targets?
What targets should the
user be able to access?
• Should the user only be able to monitor the databases of his own department?
What Target Privilege(s) should the user have
47
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the new user be?
What System Privilege(s) should the user have?
• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?
• Privilege Propagating Group – Privileges granted on the group automatically granted on its members
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able to VIEW any
targets– Should the user be able to ADD new
targets?
What targets should the
user be able to access?
• Should the user only be able to monitor the databases of his own department?
What Target Privilege(s) should the user have
• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able to blackout target
1, 2 and 3?– Should the user be able to change metric
threshold setting for target 4, 5 and 6?• Whether the user is able to tune performance of
target 1 depends on the credential he uses to connect to target 1
Privilege Propagating Group
48
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the new user be?
What System Privilege(s) should the user have?
• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?
• Privilege Propagating Group – Privileges granted on the group automatically granted on its members
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,– Should the user be able to VIEW any
targets– Should the user be able to ADD new
targets?
What targets should the
user be able to access?
• Should the user only be able to monitor the databases of his own department?
What Target Privilege(s) should the user have
• Enterprise Manager provides 7 Target Privileges, e.g.,– Should the user be able to blackout target
1, 2 and 3?– Should the user be able to change metric
threshold setting for target 4, 5 and 6?• Whether the user is able to tune performance of
target 1 depends on the credential he uses to connect to target 1
Privilege Propagating Group
Role
• If there are a set of users sharing the same responsibilities, do we have to grant all the individual privileges one by one to these users?
• Role -- Set of privileges
49
The Three A’s Best Practices Enterprise Manager Authorization
• Reduce the number of Super Administrators– Super Administrators have FULL privilege on all
targets and could create additional Super Administrators
• Grant only the minimum set of privileges– Follow the principle of least privilege to grant only
the minimum set of privileges to the users to fulfill his responsibility
• Achieve segregation of duties and simplify authorization management– Grant roles instead of individual privileges to users– Use roles along with Privilege Propagating groups
• Monitor privilege/role operations through Enterprise Manager Auditing
Oracle Enterprise Manager
Authorization
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
50
Authentication, Authorization and Auditing The Three A’s
• Authentication– Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc.
• Audit– Keeps track of the actions happened
within Enterprise Manager to prevent repudiation
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
View Reports
Blackout Targets
Submit Jobs
Manage Metrics
Manage Alerts
……
Authentication
51
The Three A’s Best PracticesAudit
• Extended actions audited by Enterprise Manager – 61 actions (33 new actions in 11g Release 1)– For example, User login/logoff, and privilege
granting/revoking, changes on monitoring template, changes on user defined policies, and database target start/stop/restart
• Built-in externalization service to purge audit data from Repository and export to external file system automatically
emcli update_audit_setting -file_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data_retention_period=<period in days>
• GUI interface to view and search audit data– Setup ->Management Service and Repository
-> Audit Data
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
Authentication
52
TheThree A’s Best PracticesAudit
• Enable Audit for EM Operationsemcli enable_audit
• If you only care about a subset of actions, you can just enable the auditing for them
emcli update_audit_settings –audit_switch=”ENABLE” –operations_to_enable=”LOGIN;LOGOUT”
• Configure the externalization service to purge the audit data from the Repository to an external file system on a regular basis.
emcli update_audit_setting
-directory="EM_DIR"
-file_prefix="emgc_audit"
-file_size="1000000"
-data_retention_period="60“
Oracle Enterprise Manager
Authorization
Audit
Jobs, TemplatesReports, etc
Databases Applications Hosts
Application Servers
Authentication
53
Oracle Enterprise Manager Security Overview
1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’s
3. Security of target authentications
54
Database
Solaris Linux
Applications
Windows
Application Server
Agent
Agent
Agent
Targets
Enterprise Manager
Grid Control
Oracle Management
RepositoryOracle Management
Service
Enterprise Manager
Users
Target
Authentication
Credentials are stored
encrypted
• Credentials– Credentials are typically username and
password required to access targets such as databases, hosts, etc.
– Stored encrypted in Repository or Agent
• Usages of credentials:– Collect metrics in the background as well as
in real-time– Perform jobs like Backup, Patching, Cloning,
etc. – Real-time target administration like start,
stop,etc.– Connect to My Oracle Support for patches
• Preferred credentials – per user basis– Default credential – per target type– Target credential – per target– Target credential overrides default
credential
Security of Target AuthenticationCredential System
55
Target Authentication Best PracticesCredential System
• Do not set preferred credentials for group/common accounts, e.g., SYSMAN. The following SQL statement gives you the result of preferred credential setting:
SELECT
t.target_name,tc.user_name,tc.credential_set_nameFROM MGMT_TARGET_CREDENTIALS tc, MGMT_TARGETS tWHERE tc.target_guid=t.target_guid
• Keep track of the operations on credential by enabling auditing the corresponding actions
• Use emcli verbs to synchronize credentials between Enterprise Manager and its database targets
emcli update_db_passworduser_name=“DBUserName”change_at_target=yes
Database
Management Agent
Oracle Management
Repository
Oracle Management
Service
Preferred Credentials
UDM Collection Credentials
Job Credentials
Monitoring Credentials
Enterprise Manager
Grid Control
Database User
56
Target Authentication Best PracticesHost Target Authentication
• Configure Pluggable Authentication Module(PAM) to take advantage of rich authentication approaches to Host access– Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity
storage and management– WebIV 422073.1: How to configure Agent with PAM to support LDAP authentication
• Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager– Enable users to perform administrative tasks without providing credentials for
functional accounts
57
Threats vs. Best Practices
Security Threats Best Practices
Man-in-the-Middle Attacks Securing the communicationEnable TLS v1 protocolConfigure firewalls
……
Denial-of-Service Attacks Secure individual Enterprise Manager components……
Exploitation of Authorization Principle of least privilegesAuditing the authorization actions……
Password crack Attacks Change password on a regular basisEnable password profile to enforce password control……
Repudiation Enable auditing for Grid Control actions
58
<Insert Picture Here>
Agenda
• Oracle Enterprise Manager Overview• Security Best Practices• Managing Enterprise Manager Security
using Enterprise Manager • Q & A• Appendix
59
Oracle Enterprise ManagerManage its Own Security
• Monitor its own security compliance– Security policies
• Define the desired behaviors of systems in terms of security
– Security at a glance• Provides an overview of the security health
of the enterprise for all targets or specific groups
– Notification of violations• Email, Page, SNMP Traps, etc.
• Fix its own security violations– Corrective actions– CPU Advisory– Patching automation
• Connects to MOS to discover and pull in new patches
• Rapidly deploys security patches
Oracle Enterprise Manager
Oracle Enterprise Manager
Monitor EM security
compliance
Fix EM security
violations
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
60
Useful Whitepapers
• Oracle Database Security Best Practices– http://www.oracle.com/technetwork/database/security/twp-
security-checklist-database-1-132870.pdf
• Oracle Weblogic Server Security Best Practices– http://download.oracle.com/docs/cd/E12839_01/web.1111/
e13705.pdf
• Oracle Enterprise Manager Security Deployment Best Practices– http://www.oracle.com/technetwork/oem/grid-control/twp-
security-best-practices-133704.pdf
Additional Oracle Enterprise Manager Sessions
Thursday, Sept. 23 Location
• 3:00 p.m - The X-Files: Managing the Oracle Exadata and Highly Available Oracle Databases
• Moscone S. Room 102
• 3:00 p.m. - Monitoring and Diagnosing Oracle RAC Performance with Oracle Enterprise Manager
• Moscone S. Room 310
Oracle Enterprise Manager 11gResource Center
Access Videos, Webcasts, White Papers, and More
Oracle.com/enterprisemanager11g
63
64
AQ&
65
<Insert Picture Here>
Appendix
66
Infrastructure Security Best PracticesOracle Management Repository
• Secure the Oracle Listener to defend Denial-of-Service (DoS) attacks– Enable Connection Rate Limiter feature
• Configure $TNS_ADMIN/admin/listener.ora– Connection_rate_Listenername = n– Rate_limit in ADDRESS section of listener
endpoint configuration• Listenername=(ADDRESS=
(PROTOCOL=tcp)(HOST=Server1)(PORT=1521)(RATE_LIMIT=yes))
– Please refer to the link for more information http://www.oracle.com/technetwork/database/enterprise-edition/oraclenetservices-connectionratelim-133050.pdf
Oracle Management
Service
Oracle Management
Repository
Oracle Management
Agent
Grid Control Console
67
Infrastructure Security Best PracticesSecure communication
• Secure lock OMS – Enforces the communication with OMS only
over SSL/TLS– By default OMS is secure locked(10.2.0.5 and
after)– If your instance is upgraded from previous
version that is not secure locked, please issue the following command
• emctl secure lock And the following command can tell you if your OMS is secure locked or not
• emctl status oms –detailsHTTP Console Port : 7802HTTPS Console Port : 5416HTTP Upload Port : 7654HTTPS Upload Port : 4473Agent Upload is locked.OMS Console is locked.Active CA ID: 1
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
68
Infrastructure Security Best PracticesSecure communication
• Secure the agent– emctl status agent –secure
…Agent is secure at HTTPS Port 1838OMS is secure on HTTPS Port 4473
– emctl secure agent
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
69
Infrastructure Security Best PracticesSecure communication
• Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)– ASO is a DB option that combines network
encryption, database encryption and strong authentication together to help customers address privacy and compliance requirements
– Ensures that the data between OMS and Repository is secure from both confidentiality and integrity standpoints
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
70
Infrastructure Security Best PracticesSecure communication
• Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)– Steps:
• Set the following OMS configuration parameters with the appropriate values by issuing the following command:– emctl set property –name <property_name> -
value <value>oracle.sysman.emRep.dbConn.enableEncryp
tion=trueoracle.net.encryption_client=REQUESTEDoracle.net.encryption_types_client={DES
40C}oracle.net.crypto_checksum_client=REQUE
STEDoracle.net.crypto_checksum_types_client
={MD5}
• Add the following to Repository’s $TNS_ADMIN/sqlnet.ora– SQLNET.ENCRYPTION_SERVER = REQUESTED
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
71
Infrastructure Security Best PracticesSecure communication
• Enable the strong cipher suites for the communication between Enterprise Manager components– Agent
• Edit $AGENT_HOME/sysman/config/emd.properties to configure the strong cipher suites
SSLCipherSuites= SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SHA
– OMS: • Update the following parameter in
$INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd_em.conf and ssl.conf filesSSLCipherSuite SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SHA
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
72
Infrastructure Security Best PracticesSecure communication
• Use a certificate from well-known Certificate Authority (CA) for the communication– Trusted certificates – Different expiry and key size that meet
special security rules– Steps:
• Create a wallet for each OMS in the grid.• Write certificates of all the Certificate
Authorities in the certificate chain into file trusted_certs.txt.
• Download file trusted_certs.txt file to agents host machines
• Restart Agent after running the add_trust_cert command.
emctl secure add_trust_cert -trust_certs_loc <location of trusted_certs.txt file>
• Secure OMS and restart it.
emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt>
Oracle Management
Service
Oracle Management
Repository
Management
Agent
Grid Control Console
Database Application Host
73
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Firewall between browsers and Grid Control Console– Configure the firewall to allow Grid
Control Console to receive HTTP traffic over 7778• Or 7777 if Web cache is used in OMS
home
– If Grid Control Console is secured as mentioned earlier, configure firewall to allow Grid Control Console to receive HTTPS traffic over port 4443
Browser
Oracle Management
Service(OMS)Web-based
Grid Control
77777778
4443
Firewall
74
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure firewall between OMS and Repository to allow Oracle Net traffic flow– As mentioned earlier, to secure the
communication between OMS and Repository, we need to enable Oracle ASO for Repository
– ASO supports the following two types of firewalls • Application proxy-based firewalls, such as
Network Associates Gauntlet, or Axent Raptor
• Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall
– Some vendors’ firewalls can be configured to recognize Oracle*Net traffic with their Oracle Net Proxy Traffic Kits• Otherwise, define an ACL that allows traffic
flow between the subnet hosting the OMS and the subnet hosting the repository
Oracle Management
Service(OMS)
Management
Repository
Firewall
SQL*Net
75
• Privilege Propagating Group– A special group that the privileges granted on will be propagated to its
nested and direct members• For a normal group, no matter what privileges (FULL, OPERATOR
or VIEW) on the group is granted to you, you’ll only get VIEW privileges on the group members
– System privilege “Create Privilege Propagating Group” is required to create this type of group
– “Full privilege” on the target is required to add the target as a member of a group
– emcli verb to convert the normal group and privilege propagating group
• emcli modify_group –privilege_propagating =true/false
• Privilege Propagating System, Redundancy Group, Aggregate Services
Privilege Propagating Group
76
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure OMS to use proxy server for its its connections to My Oracle Support to check CPUs
• Update the following OMS properties via emctl set property command:– emctl set property –name <property> -
value <value>
PROXYHOST=proxyhostname.domainPROXYPORT =port
• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hosts
dontPROXYFor = hostname1,hostname2
Oracle Management
Service(OMS)
Firewall
My Oracle Support
77
Manage Enterprise Manager SecurityMonitor its own Security
• Security Policies– Help you quickly identify systems that are
not in compliance – Out-of-box policies adopted from industry
best practices– Customize policies to meet specific
security need in your organization
• Security at a glance– Helps you to quickly focus on security
issues by showing statistics about security policy violations and noting the critical security patches that have not been applied• Compliance scores and Violation flux
• Notification of violations– E-mail, Page, SNMP Traps, etc.
Security Violations
Oracle Enterprise Manager
78
• Corrective actions to remediate violations
• CPU Advisories• Patching automation
– Connects to MOS to discover and pull in new patches
– Rapidly deploys security patches
Manage Enterprise Manager SecurityFix its Own Security Violations
Security Violations
Oracle Enterprise Manager
Corrective Actions