Oracle® Advanced Support GatewaySecurity Guide
Part No: E40643-24May 2018
Oracle Advanced Support Gateway Security Guide
Part No: E40643-24
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Exceptas expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerousapplications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take allappropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates arenot responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreementbetween you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Référence: E40643-24
Copyright © 2018, Oracle et/ou ses affiliés. Tous droits réservés.
Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation etde divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre,distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à touteingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vousinvite, le cas échéant, à lui en faire part par écrit.
Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour lecompte du Gouvernement des Etats-Unis, la notice suivante s'applique :
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à êtreutilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadred'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dansdes conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour desapplications dangereuses.
Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétairesqu'Oracle.
Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marquesdéposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est unemarque déposée de The Open Group.
Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant detiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipuléedans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou desdommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle.
Accès aux services de support Oracle
Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant.
Oracle Advanced Support Gateway Security Guide
Part No: E40643-24
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Exceptas expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerousapplications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take allappropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates arenot responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreementbetween you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Référence: E40643-24
Copyright © 2018, Oracle et/ou ses affiliés. Tous droits réservés.
Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation etde divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre,distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à touteingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vousinvite, le cas échéant, à lui en faire part par écrit.
Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour lecompte du Gouvernement des Etats-Unis, la notice suivante s'applique :
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplementalregulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à êtreutilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadred'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dansdes conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour desapplications dangereuses.
Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétairesqu'Oracle.
Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marquesdéposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est unemarque déposée de The Open Group.
Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant detiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipuléedans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou desdommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle.
Accès aux services de support Oracle
Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant.
Contents
Oracle Advanced Support Gateway Security Guide ........................................... 9About Oracle Advanced Support Gateway ........................................................... 9General Requirements .................................................................................... 10Changes to the Security Guide Since the Last Release .......................................... 10Firewall Port Requirements ............................................................................. 11External Connection ....................................................................................... 12
TLS VPN and Oracle Advanced Support Gateway ...................................... 13Alternative External Connection Option .................................................... 14
Controlling Remote VPN Access Using the Green Button Icon .............................. 14Customer Access to the Gateway ..................................................................... 15Internal Connection ....................................................................................... 15Firewall Rules: Ports and Protocols .................................................................. 15
Firewall Rules for External Traffic ........................................................... 17Firewall Rules for External Traffic Through the Encrypted VPN Tunnel .......... 18
Firewall Rules for Internal Traffic .................................................................... 19Firewall Rules Between the Gateway and the Customer Network ................... 20Firewall Rules for Gateway Hardware Self Monitoring ................................. 21Firewall Rules Between the Gateway and Exadata ....................................... 22Firewall Rules Between the Gateway and ZDLRA ...................................... 24Firewall Rules Between the Gateway and ZFS ............................................ 26Firewall Rules Between the Gateway and Exalogic ...................................... 28Firewall Rules Between the Gateway and SuperCluster ................................ 30Firewall Rules Between the Gateway and Exalytics ..................................... 33Firewall Rules Between the Gateway and Oracle Database Appliance .............. 34Firewall Rules Between the Gateway and Oracle Big Data Appliance .............. 35Firewall Rules Between the Gateway and Oracle Standalone Hosts ................. 37Firewall Rules Between the Gateway and Oracle Third-Party Hosts ................ 38Firewall Rules Between the Gateway and Hosts to be Monitored by ADS ......... 39ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes .............. 40
7
Contents
Implementation Changes to a Customer System .................................................. 41The Monitoring Matrix ........................................................................... 41Implementation Impact on the Environment ............................................... 42All Systems With An Agent Deployed ...................................................... 43Engineered Systems ............................................................................... 44Engineered System Cisco Switches ........................................................... 44Engineered System Infiniband Switches .................................................... 45Engineered System PDU's ....................................................................... 45OVS Compute Nodes ............................................................................. 45Exalogic Compute Nodes (Physical Implementation) and Exalogic VirtualMachines / Control Virtual Machines ........................................................ 46ZFS Storage Array Storage Heads ............................................................ 46Pillar Axiom 600 Storage Arrays ............................................................. 47Utilization Impact Risk of OEM Cloud Control Agent on MonitoredSystems ............................................................................................... 47Backout Plan ........................................................................................ 48
Server Prerequisites for Monitoring Deployment ................................................. 48Server Prerequisites for Monitoring Deployment ......................................... 48Monitoring Access: an Overview ............................................................. 49User Privileges ...................................................................................... 49Solaris 11 Initial Setup User RBAC Profile ................................................ 51Solaris 10 Initial Setup User RBAC Profile ................................................ 53Solaris sudo Profile ............................................................................... 54Linux sudo Profile ................................................................................. 55
Storage Prerequisites for Monitoring Deployment ............................................... 55Monitoring Deployment: an Overview ...................................................... 56Oracle ZFS Storage Appliances ............................................................... 56
Audit Logging .............................................................................................. 57Enabling and Disabling Logging Messages ................................................ 59
Managing ASR Audit Logs ............................................................................. 61About ASR Audit Logs .......................................................................... 61Viewing ASR Audit Logs ....................................................................... 61Downloading ASR Audit Logs ................................................................ 62
8 Oracle Advanced Support Gateway Security Guide • May 2018
Oracle Advanced Support Gateway SecurityGuide
This document outlines the requirements for deploying Oracle Advanced Support Gateway intothe customer environment to support the delivery of certain Oracle remote services (hereafterreferred to as Oracle Services.) The Oracle Advanced Support Gateway is an important partof the Oracle delivery architecture for Oracle Services and its placement must be carefullyconsidered in order for Oracle to deliver Oracle Services. This document outlines networkconfiguration options when integrating the Oracle Advanced Support Gateway device withinthe customer environment. To help explain these options, this document assumes a "simple"customer-side network topology. However, these options can extend to more complex networktopologies.
About Oracle Advanced Support Gateway
Oracle Advanced Support Gateway is a multi-purpose platform designed to facilitate a numberof Oracle Services including Oracle Platinum Services, Advanced Monitoring and Resolution,LifeCycle services, and Business Critical Service for Systems. The Oracle Advanced SupportGateway enables the simplification of network requirements and a single point of access for theprovision and delivery of these services.
The Gateway platform is based on the Oracle Linux operating system and hosts a full setof Oracle software stacks, including Automated Service Request (ASR), Oracle EnterpriseManager (12c or 13c), Oracle Configuration Manager, patch management (such as YUMservices), and a suite of Java applications. Together, these applications aggregate androute telemetry messages from the customer environment to the Oracle Support Servicesinfrastructure. The Oracle Advanced Support Gateway provides remote access for Oracleengineers to access the customer network (with customer permission) and to carry out approvedactions on customers' monitored systems.
Oracle Advanced Support Gateway Security Guide 9
General Requirements
General Requirements
There are a number of general requirements that are necessary for Oracle to deliver OracleServices:
■ An Oracle Advanced Support Gateway must be provisioned into the customer'senvironment.
■ All monitored systems must be network accessible from Oracle Advanced SupportGateway.
■ The monitored systems must be dedicated to the customer. Oracle will not be able to deliverservices for monitored systems which are not exclusively owned and controlled by thecustomer. Oracle recommends a dedicated, physical server. The Gateway can be deployedin a VM instance running on a standalone Oracle Virtual Machine (OVM) server. No othervirtualization technologies, for example, VMWare, are supported.
■ Oracle must have access to certain ports and protocols (described below) in order toimplement and deliver Oracle Services.
■ The Oracle Advanced Support Gateway must be continuously accessible from the OracleSupport Platform using the secure protocols described below. However, Oracle AdvancedSupport Gateway must not be directly exposed to the Internet.
In order to expedite the implementation process, the customer will be required to provide highlevel network topology which should include:
■ IP numbering scheme■ Routing policy■ Locations of firewalls■ Locations of monitored systems■ Proposed location of Gateway
Having this information enables Oracle to provide a recommendation regarding OracleAdvanced Support Gateway placement.
Changes to the Security Guide Since the Last Release
This section outlines the principal changes made to the Oracle Advanced Support GatewaySecurity Guide since the last release (E40643-23; April 2018.)
■ One of the NTP servers (137.254.105.5/32) to which customers required access through theVPN tunnel (for IPsec as well as for SSL-VPN) has been removed in this release as it is nolonger required.
10 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Port Requirements
The NTP servers to which access is now required are as follows:■ 192.206.43.197/32■ 198.51.38.199/32
Refer to “Firewall Rules for External Traffic Through the Encrypted VPNTunnel” on page 18 for further informatiion.
■ A firewall rule has been added - and the source and destination values swapped to correct anerror in version 23 of Oracle Advanced Support Gateway Security Guide - for the followingsystems in order to provide support for the Patch Download service over TCP on port 443:■ Exadata: DB Nodes and DomU■ ZDLRA: Compute Node■ Exalogic: Compute Node
Exalogic: OVS Compute NodeExalogic: Control VMs
■ Supercluster: Primary Domains■ Exalytics: Domains, Dom0, and DomU■ Oracle Database Appliance: DB, DomU, and Compute Node■ Oracle Big Data Appliance: Compute Node and DomU■ Oracle Standalone Hosts: Host■ Oracle Third Party Hosts: Host■ ADS Hosts: Host
Refer to the individual firewall tables in “Firewall Rules for Internal Traffic” on page 19for further informatiion.
■ An optional firewall rule has been added for users of the Oracle Advanced Monitoring andResolution and Oracle Lifecycle Support services to access the Reporting Dashboard onOracle Advanced Support Gateway.
Firewall Port RequirementsThe specifics of the Oracle Services network requirement depends on the customer networktopology relative to the Oracle Services Support centers, Oracle Advanced Support Gateway,and the monitored systems. The customer networks must be configured to permit traffic flow asshown in the diagram below.
The firewall rules must be set up to allow traffic flow in two situations:
■ Between Oracle Advanced Support Gateway and Oracle Services Support centers. This isreferred to as the external connection.
Oracle Advanced Support Gateway Security Guide 11
External Connection
Note - A web proxy can be used to proxy the HTTPS traffic across the external connection.However, Oracle Advanced Support Gateway does not support NTLM or Kerberos proxyauthentication. The Transport Layer Security (TLS) VPN traffic cannot be routed through aproxy server.
Caution - To defend against security attacks, you should never connect Oracle AdvancedSupport Gateway interfaces or the Oracle ILOM Service Processor to a public network, suchas the Internet. The Gateway should never be exposed directly to the Internet without theprotection of a customer firewall or Access Control List (ACL.) You should keep the OracleILOM Service Processor management traffic on a separate management network and grantaccess only to system administrators. For further information, see the section on Securing thePhysical Management Connection in the Oracle ILOM Security Guide.
■ Between Oracle Advanced Support Gateway and the customer's monitored devices, througha customer-controlled firewall or other security devices. This is referred to as the internalconnection.
The diagram below depicts an example traffic flow between monitored systems and Oracle.(Detailed firewall rules and templates are provided to the customer during the implementationprocess.)
FIGURE 1 High Level Traffic Flow and Firewall Requirement
External Connection
Oracle utilizes a combination of a VPN solution and TLS to secure communications betweenOracle Advanced Support Gateway, located within the customer's environment, and the Oracle
12 Oracle Advanced Support Gateway Security Guide • May 2018
External Connection
Services Support center locations. The VPN is primarily used for tasks such as facilitatingpatching requirements from Oracle Services Support center locations to Oracle AdvancedSupport Gateway and TLS is used for transporting the monitoring telemetry from OracleAdvanced Support Gateway to the Oracle Services Support center locations.
TLS VPN and Oracle Advanced Support Gateway
The Oracle Advanced Support Gateway is configured with a software TLS-based VPN client.When the Gateway boots up, it opens an outbound connection to one of three Oracle ServicesSupport centers, establishing a TLS VPN tunnel. At that point, this connection is used forinbound connectivity between the Oracle Services Support center and the Gateway. No inboundfirewall port openings are required, as the initial connection is outbound. The Gateway isassigned a unique ID and password and connects to one of three Oracle VPN concentrators. TheTLS-based VPN has the following features:
■ Connection based on TLS 1.2, AES256 symmetric encryption to ensure traffic integrity andconfidentiality
■ Continuous VPN connection availability through the use of active/passive VPN clusterservers at the Oracle Services Support centers. Any hardware or software issues on theactive VPN server failover all connections to the backup VPN.
■ Disaster recovery processes that use multiple clusters around the world. Any connectionissue with one of the Oracle Services Support centers failover client connections to the otherOracle Services Support centers.
FIGURE 2 A TLS-Based VPN Client Connection from Oracle Advanced Support Gateway toOracle
Oracle Advanced Support Gateway Security Guide 13
Controlling Remote VPN Access Using the Green Button Icon
Note - The TLS VPN is the standard method for establishing the connection with Oracle.Alternative connection methods are available on an exception, customer-by-customer basisthat is summarized in “Alternative External Connection Option” on page 14. If you wish toexplore these options further, please contact your Oracle Implementation Manager.
Alternative External Connection Option
Oracle offers an alternate method for establishing a connection using IPSec. The connectionis terminated on the customer's existing VPN hardware. This option generally requires anextended implementation cycle and is approved on an exception basis. If the customer choosesto use their existing VPN device (for example, firewall or VPN concentrator) as a terminationpoint, the VPN overall requirements described above remain the same. The encryption domainrequirements for this connection will create a more complex configuration.
The requirements include, but are not limited to:
■ A public IP per Gateway connection supplied by the customer for use inside the VPNencryption domain;
■ Access to one /26 subnet and multiple /32 addresses inside the encryption domain;■ Allowing the ports and protocols listed in the table specifying firewall rules between
the Gateway and Oracle standalone hosts in this guide (see “Firewall Rules Between theGateway and Oracle Standalone Hosts” on page 37) to communicate across the VPN;
■ Network Address Translation (NAT) can be used for the source address of the Gatewayoutbound to the Internet for external communication back to Oracle. For the Oracle Serviceendpoints to which the Gateway needs to communicate, NAT is not supported. These OracleService endpoints must reside on their public IP addresses.
Controlling Remote VPN Access Using the Green ButtonIcon
Oracle security policies require a VPN between Oracle and the customer so that Oracle canaccess the customer systems. The Oracle Advanced Support Gateway enables the customer tocontrol remote access to enable and disable VPN connectivity with Oracle. The Remote Accessicon, also referred to as the Green Button, is displayed in the utility menu on the top-right of theGateway user interface. You can set the duration of a VPN session, toggle the icon to turn theremote access session on or off, or view a history of remote access control sessions.
14 Oracle Advanced Support Gateway Security Guide • May 2018
Customer Access to the Gateway
Note - Remote VPN Access ("Green Button") functionality is not available for all OracleConnected Services. Please refer to your Oracle representative for further details.
This feature is described in Oracle Advanced Support Gateway User's Guide.
Customer Access to the Gateway
After installation of Oracle Advanced Support Gateway is complete, Oracle retains access tothe Gateway and will require ongoing access to it for delivery of services (customer accessto the Lights Out Management (LOM) section of the server is permitted.) Customer access isauthorized only through the Customer Admin account which enables the use of the CLISHcommand line interface (CLI), and through the Gateway Web portal that the customer canaccess using a browser. This CLI exposes only those commands and configuration wizardsthat are intended for customer interaction and customization of the Gateway. Customers arenot authorized to access the Gateway using any other user account or other CLIs (such asbash or sh). Customers should not modify the Gateway to obtain access as other users (forexample, root) and should not install any software agentry (monitoring or management) onthe Gateway. To do so would represent unauthorized access to, or modification of, an Oraclemanaged system.
Internal Connection
Placing Oracle Advanced Support Gateway in a customer's DMZ that is not directly exposedto the Internet is the recommended internal connection option. By placing Oracle AdvancedSupport Gateway in a DMZ behind an Internet firewall, the customer has control of traffictraversing their internal networks and also of inbound connections from the Internet.
Firewall Rules: Ports and Protocols
This section provides information about the standard firewall port configurations necessary forthe delivery of Oracle Services.
Note - The final port and firewall requirements depend on the specific Engineered Systembeing monitored by Oracle Services, the connectivity method chosen, and the actual customernetwork design.
Oracle Advanced Support Gateway Security Guide 15
Firewall Rules: Ports and Protocols
The following table outlines firewall port configurations and tables that provide information onmonitoring requirements. Each table is associated with the services and systems which apply toit, for example, All Services means all remotely delivered services: Oracle Platinum Services,Oracle Advanced Monitoring and Resolution, and Oracle Advanced Database Services (ADS.)
TABLE 1 Firewall Rules Tables, Other Monitoring Tables and Applicable Oracle Services and Systems
Table Description Applicable Oracle Services/Systems
“Firewall Rules for External Traffic” on page 17 All Oracle Services
“Firewall Rules Between the Gateway and the Customer Network” on page 20 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules for Gateway Hardware Self Monitoring” on page 21 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exadata” on page 22 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and ZDLRA” on page 24 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and ZFS” on page 26 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exalogic” on page 28 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and SuperCluster” on page 30 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exalytics” on page 33 ■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle DatabaseAppliance” on page 34
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Big DataAppliance” on page 35
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle StandaloneHosts” on page 37
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Third-PartyHosts” on page 38
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Hosts to be Monitored byADS” on page 39
■ Oracle Advanced Database Support (ADS)
“ZFS, Exalogic, and SuperCluster ASR Endpoint IP AddressChanges” on page 40
■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Firewall Rules for External Traffic Through the Encrypted VPNTunnel” on page 18
■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“The Monitoring Matrix” on page 41 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
“Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems” on page 47
All Oracle Services
16 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules: Ports and Protocols
Table Description Applicable Oracle Services/Systems
“Restricted User for Monitoring Deployment (AKSH Shell)” on page 56 ■ Oracle Platinum Services■ Oracle Advanced Monitoring and Resolution
The firewall port configurations are divided into sections:
■ “Firewall Rules for External Traffic” on page 17■ “Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 18■ “Firewall Rules for Internal Traffic” on page 19
Firewall Rules for External Traffic
Note - The source for all these entries is Oracle Advanced Support Gateway. The rules inTable 2, “Firewall Rules Between Oracle Advanced Support Gateway and the Oracle ServicesSupport Center,” on page 17 apply to all of Oracle's Connected Services.
TABLE 2 Firewall Rules Between Oracle Advanced Support Gateway and the Oracle Services Support Center
Destination Destination IPAddress(es)
ApplicationProtocol
Network Protocol/Port
Purpose
adc-ps-ssl-vpn.oracle-occn.com
llg-ps-ssl-vpn.oracle-occn.com
tokyo-ps-ssl-vpn.oracle-occn.com
198.17.210.28
141.143.215.68
140.83.95.28
TLS VPN TCP/443 - TLS
UDP/443 - DTLS(Datagram TLS)
To establish a TLS VPN connection*between Oracle and Oracle AdvancedSupport Gateway.
*Cannot support communicationthrough an internet proxy.
dts.oracle.com 192.206.43.1 HTTPS TCP/443 To securely transport monitoring datato Oracle.
transport-adc.oracle.com 141.146.156.41 HTTPS TCP/443 To securely transport monitoring andother data to Oracle.
ccr.oracle.com 141.146.54.49 HTTPS TCP/443 To upload the customer's configurationdata to Oracle's centralizedconfiguration repository.
support.oracle.com 141.146.54.16 HTTPS TCP/443 To download patches onto OracleAdvanced Support Gateway from MyOracle Support (MOS) via the OracleEnterprise Manager (OEM) CloudControl UI.
login.oracle.comNote - Each hostnamecurrently resolves to multipleworking IP addresses. Accessto all addresses listed must bepermitted as Oracle will switch
209.17.4.8
156.151.58.18
141.146.8.119
HTTPS TCP/443 To connect to Oracle's centralizedauthentication site.
Oracle Advanced Support Gateway Security Guide 17
Firewall Rules: Ports and Protocols
Destination Destination IPAddress(es)
ApplicationProtocol
Network Protocol/Port
Purpose
from one to another in the nearfuture.
linux-update.oracle.com
linux-update-adc.oracle.com
linux-update-ucf.oracle.com
137.254.56.42
137.254.56.42
156.151.58.24
HTTPS TCP/443 To patch Oracle Advanced SupportGateway and to download patches(from Unbreakable Linux Networkservers) for customers who havepatching services.
updates.oracle.com 141.146.44.51 HTTPS TCP/443 To provide patch downloads viaOracle Enterprise Manager (OEM).
acs-rac.oracle.com 129.157.65.44 HTTPS TCP/2056 When the Remote Access Controlfeature is active on Oracle AdvancedSupport Gateway (that is, the "GreenButton" is on), rsyslog is used to sendaudit logs to Oracle via a securedchannel.
ZFS Phone Home 129.157.65.13
129.157.65.14
141.146.1.169
ZFS PhoneHome
TCP/443 ZFS fault monitoring is shipped directto these Oracle systems. Used whenOracle Advanced Support Gatewayhosts a proxy server for the ZFSControllers.Note - ZFS Controllers may alsobe known as ZFS Storage Heads.The term ZFS Controller is usedthroughout this document.
Firewall Rules for External Traffic Through theEncrypted VPN TunnelIf you use the Oracle-provided TLS VPN solution, the following table is informational only,illustrating the traffic transmitted over the VPN in support of Oracle Advanced SupportGateway. If the alternative VPN solution is used, the following traffic must be allowed tocommunicate over the VPN.
TABLE 3 Firewall Rules between Oracle Advanced Support Gateway and the Oracle Data Center Using VPN Tunnel
Source Destination Network Protocol/Port Purpose
Oracle Advanced SupportGateway
■ 192.206.43.197/32■ 198.51.38.199/32
NTP (UDP/123) Network Time Protocol (NTP)
Oracle Advanced SupportGateway
■ 192.206.43.194/32■ 198.51.38.197/32
Syslog (TCP/514) Oracle Advanced SupportGateway Syslog
Oracle Advanced SupportGateway
198.51.38.194/32 HTTPS (TCP/8080,9898) Oracle Advanced SupportGateway file integritymonitoring
18 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
Source Destination Network Protocol/Port Purpose
198.51.38.193/32 Oracle Advanced SupportGateway
HTTPS (TCP/8080,9898) Oracle Advanced SupportGateway file integritymonitoring
■ 192.206.43.209/32■ 198.51.38.209/32■ 140.85.164.34/32
Oracle Advanced SupportGateway
Security Scanner
■ TCP/UDP/1-65535■ ICMP (Types 8 & 0)
Oracle Advanced SupportGateway availability andsecurity scanning
■ 198.51.37.1/32■ 193.188.5.1/32■ 140.83.88.1/32■ 140.83.88.129/32■ 140.83.89.1/32■ 141.146.155.40/32■ 141.146.155.41/32■ 192.206.43.208/32■ 198.51.38.208/32
Oracle Advanced SupportGateway
■ ICMP (Types 8 & 0)■ SSH (TCP/22)■ HTTPS (TCP/443,
7799,9702)■ SGD (TCP/5307)
Management traffic to remotelymanage Oracle AdvancedSupport Gateway and alsofacilitate remote access
Oracle Advanced SupportGateway
■ 192.206.43.196/32■ 198.51.38.198/32
HTTPS (TCP/443) REST services for OracleAdvanced Support Gateway
Oracle Advanced SupportGateway
■ 192.206.43.193/32■ 198.51.38.196/32
LDAP (TCP/636) Oracle Advanced SupportGateway authentication(LDAP)
Firewall Rules for Internal Traffic
This section provides internal firewall rules tables for the customer network, Oracle AdvancedSupport Gateway hardware self monitoring, Exadata Database Machine (Exadata), ZeroData Loss Recovery Appliance, ZFS Storage Appliance Racked System, Exalogic ElasticCloud (Exalogic), SuperCluster, Exalytics In-Memory Machine (Exalytics), Oracle DatabaseAppliance, Oracle Big Data Appliance, Oracle Cloud at Customer, Oracle Exadata Cloud atCustomer, and standalone hosts (both Oracle and third-party.)
This section also provides an internal firewall rules table between the Gateway and the hoststo be monitored by Oracle Advanced Database Support (ADS). Finally, this section containsa table listing ASR Endpoint IP address changes that apply to the following: ZFS StorageAppliance Racked System, Exalogic, and SuperCluster.
To see which of the following tables apply for Oracle Platinum Services, please see the Oracle-certified Platinum Services configurations on the Oracle Support website.
Oracle Advanced Support Gateway Security Guide 19
Firewall Rules for Internal Traffic
Note - If communication between management interfaces (that are connected to the Cisco IPswitch within the Engineered System) is separated by a firewall, Access Control List (ACL),or any form of network filtering, the firewall rules must allow communication between theseinterfaces.
■ “Firewall Rules Between the Gateway and the Customer Network” on page 20■ “Firewall Rules for Gateway Hardware Self Monitoring” on page 21■ “Firewall Rules Between the Gateway and Exadata” on page 22■ “Firewall Rules Between the Gateway and ZDLRA” on page 24■ “Firewall Rules Between the Gateway and ZFS” on page 26■ “Firewall Rules Between the Gateway and Exalogic” on page 28■ “Firewall Rules Between the Gateway and SuperCluster” on page 30■ “Firewall Rules Between the Gateway and Exalytics” on page 33■ “Firewall Rules Between the Gateway and Oracle Database Appliance” on page 34■ “Firewall Rules Between the Gateway and Oracle Big Data Appliance” on page 35■ “Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 37■ “Firewall Rules Between the Gateway and Oracle Third-Party Hosts” on page 38■ “Firewall Rules Between the Gateway and Hosts to be Monitored by ADS” on page 39■ “ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes” on page 40
Firewall Rules Between the Gateway and theCustomer Network
The ports outlined in this table are required for accessing the Oracle Advanced SupportGateway customer interfaces (command line and web interfaces) as well as ports required forintegrating syslog and user management email notifications.
TABLE 4 Firewall Rules Between the Gateway and the Customer Network
Source Destination Network Protocol/Port Purpose
Customer User Desktop/Intranet
Oracle Advanced SupportGateway
ICMP Type 0 and 8 Optional: Used by customers to testconnectivity to the Gateway from theirinternal networks.
Oracle Advanced SupportGateway
Customer default gateway onDMZ
ICMP Type 0 and 8 Ping between the Gateway and the defaultrouter is temporarily used during installationof the Gateway to confirm networkconnectivity.
Customer User Desktop/Intranet
Oracle Advanced SupportGateway
TCP/22 Customer access to CLI for network andsyslog configuration of the Gateway.
20 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
Source Destination Network Protocol/Port Purpose
Customer User Desktop/Intranet
Oracle Advanced SupportGateway
HTTPS (TCP/443) Customer access to Portal interface foradministration of the Gateway and access toservices.
Oracle Advanced SupportGateway
Customer syslog server UDP/514 Rule required if the customer enables theOracle Advanced Support Gateway AuditLogging feature.
Customer User Desktop/Intranet
Oracle Advanced SupportGateway ILOM
TCP/22 Customer access from ILOM to assist infailure troubleshooting.
Customer User Desktop/Intranet
Oracle Advanced SupportGateway ILOM
HTTPS (TCP/443) Customer access from ILOM to assist infailure troubleshooting.
Customer User Desktop/Intranet
Oracle Advanced SupportGateway
HTTPS (TCP/7799) (Optional)
Users of the Oracle Advanced Monitoringand Resolution service and the OracleLifecycle Support services can access aReporting Dashboard on Oracle AdvancedSupport Gateway.
Firewall Rules for Gateway Hardware SelfMonitoringThis section provides an internal firewall rules table for Oracle Advanced Support Gatewayhardware self monitoring.
Note - This functionality is required only if the Gateway ILOM has been configured on adifferent network than the Gateway Ethernet network interfaces.
TABLE 5 Firewall Rules for Gateway Hardware Self Monitoring
Source Destination Network Protocol/Port Purpose
Bidirectional (OracleAdvanced SupportGateway ILOM andOracle Advanced SupportGateway)
Bidirectional (OracleAdvanced Support GatewayILOM and Oracle AdvancedSupport Gateway)
ICMP Type 0 and 8 Used to test bidirectional networkconnectivity
Oracle Advanced SupportGateway ILOM
Oracle Advanced SupportGateway
SNMP (UDP/162) SNMP traps for ASR telemetry (Gatewayhardware self monitoring)
Oracle Advanced SupportGateway
Oracle Advanced SupportGateway ILOM
RCMP+ (UDP/623;TCP/623)
Management and monitoring via ILOMinterface (IPMI)
Oracle Advanced SupportGateway
Oracle Advanced SupportGateway ILOM
SNMP (UDP/161) SNMP for ASR telemetry (Gatewayhardware self monitoring)
Oracle Advanced SupportGateway
Oracle Advanced SupportGateway ILOM
SSH (TCP/22) Management and configuration of ILOM
Oracle Advanced Support Gateway Security Guide 21
Firewall Rules for Internal Traffic
Source Destination Network Protocol/Port Purpose
Oracle Advanced SupportGateway
Oracle Advanced SupportGateway ILOM
ASR (TCP/6481) ASR for discovery and monitoring byservice tags
Oracle Advanced SupportGateway
Oracle Advanced SupportGateway ILOM
HTTPS (TCP/443) Monitoring configuration and faultdiagnostic collection
Firewall Rules Between the Gateway and ExadataThis section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exadata Database Machine.
TABLE 6 Firewall Rules Between the Gateway and Exadata
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
OEM Oracle Advanced SupportGateway
DB Node and DomU TCP/1830-1839
OEM Agent communication;typically port 1830 is used forOracle Services
SNMP Oracle Advanced SupportGateway
Infiniband
PDU
Cisco Switch
Cell Node ILOM
Cell Node
DB Node ILOM
DB Node and DomU
UDP/161 SNMP for ASR telemetry
ASR Oracle Advanced SupportGateway
Infiniband
Cell Node
Cell Node ILOM
DB Node
DB Node ILOM
TCP/6481 ASR for discovery and monitoringby service tags
HTTPS Oracle Advanced SupportGateway
Cell Node ILOM
DB Node ILOM
TCP/443 Monitoring configuration and faultdiagnostic collection
22 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
Infiniband
HTTPS DB Node and DomU Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
HTTP/HTTPS
Oracle Advanced SupportGateway
PDUNote - In late Exadata X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)
TCP/80(HTTP)
Or
TCP/443(HTTPS)
PDU web interface for monitoringconfiguration and diagnostics
SSH Oracle Advanced SupportGateway
Infiniband
Cell Node
Cell Node ILOM
DB Node and DomU
DB Node ILOM
PDU
TCP/22 Monitoring configuration, faultdiagnostics and patching
SSH DB Node and DomU Infiniband
Cell Node
Cell Node ILOM
DB Node
DB Node ILOM
PDU
Cisco Switch
TCP/22 Monitoring of hardware components
SNMP DB Node and DomU PDU
Cisco Switch
UDP/161 Monitoring of hardware components
SSH/Telnet Oracle Advanced SupportGateway
Cisco Switch (older switchessupport only Telnet)
TCP/22 (SSH)
Or
TCP/23(Telnet)
Monitoring configuration, faultdiagnostics and patching
SQL Oracle Advanced SupportGateway
DB listener IP (VIP)Note - If a database is onlylistening on a Client/VIP, thenaccess to this interface must alsobe allowed.
DB listenerport, default isTCP/1521
DB listener port for discovery andongoing monitoringNote - This is not required forPlatinum Services customers.
RCMP+ Oracle Advanced SupportGateway
Cell Node ILOM
DB Node ILOM
UDP/623,TCP/623
Management and monitoring viaILOM interface (IPMI)
Oracle Advanced Support Gateway Security Guide 23
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
HTTPS(OEMAgent)
DB Node and DomU Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Exadata, customers mustadd static routes to force all trafficwith Oracle Advanced SupportGateway as its destination to use theManagement Network as a primaryinterface for communication. Thestatic route must be permanentbecause in the event of any restartof the nodes, the route will bedeleted and communication betweenthe agents and Oracle AdvancedSupport Gateway will go down.
SNMP Infiniband
PDU
Cisco Switch
Cell Node ILOM
Cell Node
DB Node ILOM
DB Node
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring events and/ornetwork monitoring
Firewall Rules Between the Gateway and ZDLRA
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Zero Data Loss Recovery Appliance (ZDLRA).
TABLE 7 Firewall Rules Between the Gateway and Zero Data Loss Recovery Appliance
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
OEM Oracle Advanced SupportGateway
Compute Node TCP/1830-1839
OEM Agent communication;typically port 1830 is used forOracle Services
24 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
SNMP Oracle Advanced SupportGateway
Infiniband
PDU
Cisco Switch
Storage Node ILOM
Storage Node
Compute Node ILOM
Compute Node
UDP/161 SNMP for ASR telemetry
SNMP DB Node and DomU PDU
Cisco Switch
UDP/161 Monitoring of hardware components
ASR Oracle Advanced SupportGateway
Infiniband
Storage Node
Storage Node ILOM
Compute Node
Compute Node ILOM
TCP/6481 ASR for discovery and monitoringby service tags
HTTPS Oracle Advanced SupportGateway
Storage Node ILOM
Compute Node ILOM
Infiniband
TCP/443 Monitoring configuration and faultdiagnostic collection
HTTPS Compute Node Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
HTTP/HTTPS
Oracle Advanced SupportGateway
PDUNote - In late Exadata X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)
TCP/80(HTTP)
Or
TCP/443(HTTPS)
PDU web interface for monitoringconfiguration and diagnostics
SSH Oracle Advanced SupportGateway
Infiniband
Storage Node
Storage Node ILOM
Compute Node
Compute Node ILOM
PDU
TCP/22 Monitoring configuration, faultdiagnostics and patching
SSH/Telnet Oracle Advanced SupportGateway
Cisco Switch (older switchessupport only Telnet)
TCP/22 (SSH) Monitoring configuration, faultdiagnostics and patching
Oracle Advanced Support Gateway Security Guide 25
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
Or
TCP/23(Telnet)
SQL Oracle Advanced SupportGateway
DB listener IP (VIP)Note - If a database is onlylistening on a Client/VIP, thenaccess to this interface must alsobe allowed)
DB listenerport, default isTCP/1521
DB listener port for discovery andongoing monitoring
RCMP+ Oracle Advanced SupportGateway
Storage Node ILOM
Compute Node ILOM
UDP/623,TCP/623
Management and monitoring viaILOM interface (IPMI)
HTTPS(OEMAgent)
Compute Node Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Zero Data LossRecovery Appliance, customersmust add static routes to forceall traffic with Oracle AdvancedSupport Gateway as its destinationto use the Management Networkas a primary interface forcommunication. The static routemust be permanent because inthe event of any restart of thenodes, the route will be deleted andcommunication between the agentsand Oracle Advanced SupportGateway will go down.
SNMP Infiniband
PDU
Cisco Switch
Storage Node ILOM
Storage Node
Compute Node ILOM
Compute Node
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring events and/ornetwork monitoring
Firewall Rules Between the Gateway and ZFS
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle ZFS Storage Appliance Racked System (ZFS).
26 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
TABLE 8 Firewall Rules Between the Gateway and ZFS Storage Appliance Racked System
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
SSH Oracle Advanced SupportGateway
ZFS Controllers
ZFS ILOM
TCP/22 Monitoring configuration, faultdiagnostics, and patching
SSH Oracle Advanced SupportGateway
PDU TCP/22 Monitoring configuration, faultdiagnostics and patching
HTTPS Oracle Advanced SupportGateway
PDU TCP/443(HTTPS)
PDU web interface for monitoringconfiguration and diagnostics
HTTPS Oracle Advanced SupportGateway
ZFS ILOM TCP/443 Monitoring configuration and faultdiagnostic collection
HTTPS Oracle Advanced SupportGateway
ZFS Controllers TCP/215 OEM plug-in communication to ZFSfor monitoring
SNMP Oracle Advanced SupportGateway
PDU
ZFS ILOM
ZFS Controllers
UDP/161 SNMP for ASR telemetry
SNMP PDU Oracle Advanced SupportGateway
UDP/162 SNMP for Monitoring Events
RCMP+ Oracle Advanced SupportGateway
ZFS ILOM UDP/623,TCP/623
Management and monitoring usingthe ILOM interface (IPMI)
ZFS PhoneHome
ZFS Controllers asr-services.oracle.com
inv-cs.oracle.com
transport.oracle.com
Or
Proxy IP
TCP/443 orproxy port
ZFS Phone Home can also supportan internet proxy
Direct access or proxy to:
129.157.65.13
129.157.65.14
141.146.1.169
ZFS PhoneHome
ZFS Controllers Oracle Advanced SupportGateway
TCP/8000 Gateway hosting a proxy server
SSH ZFS Controllers Oracle Advanced SupportGateway
TCP/22 Used to copy patches from thegateway to the ZFS arrays as SCP isavailable only to pull from a remotesystem to the ZFS array.
Oracle Advanced Support Gateway Security Guide 27
Firewall Rules for Internal Traffic
Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracleusing port 443.
Firewall Rules Between the Gateway and Exalogic
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exalogic Elastic Cloud.
TABLE 9 Firewall Rules Between the Gateway and Exalogic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway andcustomer systems
OEM Oracle Advanced SupportGateway
Compute Node
Control VMs (virtual only)
TCP/1830-1839 OEM Agent communication,typically 1830 is used for OracleServices
SNMP Oracle Advanced SupportGateway
Infiniband
PDU
Cisco Switch
Compute Node
Compute Node ILOM
Virtual Instances
UDP/161 SNMP for ASR telemetry
ASR Oracle Advanced SupportGateway
Compute Node
Compute Node ILOM
Infiniband
TCP/6481 ASR for discovery and monitoringby service tags
HTTPS Oracle Advanced SupportGateway
Compute Node ILOM
Infiniband
ZFS ILOM
TCP/443 Monitoring configuration and faultdiagnostic collection
HTTPS Compute Node
OVS Compute Node
Control VMs
Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
28 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
SNMP Oracle Advanced SupportGateway
ZFS ILOM
ZFS Controllers
UDP/161 SNMP for ASR telemetry
HTTP/HTTPS Oracle Advanced SupportGateway
PDUNote - In late Exalogic X4-2 andX5-2 or above, the PDU Webinterface can only be accessedusing HTTPS (not HTTP.)
TCP/80 (HTTP)
Or
TCP/443(HTTPS)
PDU web interface for monitoringconfiguration and diagnostics
SSH Oracle Advanced SupportGateway
PDU TCP/22 Monitoring configuration, faultdiagnostics and patching
SSH Oracle Advanced SupportGateway
Infiniband
Control VMs (virtual only)
ZFS Controllers
Compute Node
ZFS ILOM
Compute Node ILOM
TCP/22 Monitoring configuration, faultdiagnostics and patching
SSH/Telnet Oracle Advanced SupportGateway
Cisco Switch (older switchessupport only Telnet)
TCP/22 (SSH)
Or
TCP/23 (Telnet)
Monitoring configuration, faultdiagnostics and patching
SQL Oracle Advanced SupportGateway
Control VMs (Virtual only)Note - If a database is onlylistening on a Client/VIP accessto this interface must also beallowed.
DB listenerport, default isTCP/1521
DB listener port for discovery andongoing monitoring
RCMP+ Oracle Advanced SupportGateway
Compute Node ILOM
ZFS ILOM
UDP/623,TCP/623
Management and monitoring usingthe ILOM interface (IPMI)
HTTPS Oracle Advanced SupportGateway
Compute Node TCP/7001-7002 Monitoring install and diagnosticscollection
HTTPS - ZFSagent
Oracle Advanced SupportGateway
ZFS Controllers TCP/215 OEM plug-in communication toZFS for monitoring
HTTPS (OEMagent)
Compute Node
Control VMs (virtual only)
Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support GatewayNote - For Exalogic, customersmust add static routes to forceall traffic with Oracle AdvancedSupport Gateway as its destinationto use the Management Networkas a primary interface forcommunication. The static routemust be permanent because in
Oracle Advanced Support Gateway Security Guide 29
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
the event of any restart of thenodes, the route will be deleted andcommunication between the agentsand Oracle Advanced SupportGateway will go down.
SNMP Infiniband
PDU
Cisco Switch
Compute Node
Compute Node ILOM
Oracle Advanced SupportGateway
UDP/162 SNMP for Monitoring Events
HTTP Compute Node (Solaris)
Zones
Oracle Advanced SupportGateway
TCP/5555 Solaris Explorer uploads forautomatic uploads for events
HTTPS Compute Node (Solaris)
Zones
Oracle Advanced SupportGateway
TCP/8234 ASR Assets to communicate withASR Manager
ZFS PhoneHome
ZFS Controllers asr-services.oracle.com
inv-cs.oracle.com
transport.oracle.com
Or
Proxy IP
TCP/443 orproxy port
ZFS Phone Home can also supportan internet proxy
Direct access or proxy to:
129.157.65.13
129.157.65.14
141.146.1.169
ZFS PhoneHome
ZFS Controllers Oracle Advanced SupportGateway
TCP/8000 Gateway hosting a proxy server
Firewall Rules Between the Gateway andSuperCluster
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle SuperCluster.
TABLE 10 Firewall Rules Between the Gateway and SuperCluster
ApplicationProtocol
Source Interface(s) Destination Interface(s) Network Protocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0 and 8 Used to test networkconnectivity between customersystems and the Gateway
30 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) Network Protocol/Port
Purpose
ICMP Oracle AdvancedSupport Gateway
All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customer systems
OEM Oracle AdvancedSupport Gateway
All Domains
Zones based on monitoringservice
TCP/1830-1839 OEM agent communication,typically 1830 is used forOracle Services
SNMP Oracle AdvancedSupport Gateway
Infiniband
PDU
Cisco Switch
SPARC Server ILOMs(virtual/floating addresses aswell as physical addresses)
Primary Domains
Cell Node
Cell Node ILOM
UDP/161 SNMP for ASR telemetry
ASR Oracle AdvancedSupport Gateway
Infiniband
SPARC Server ILOMs(virtual/floating addresses aswell as physical addresses)
Primary Domains
Cell Node
Cell Node ILOM
TCP/6481 ASR for discovery andmonitoring by service tags
HTTPS Oracle AdvancedSupport Gateway
SPARC Server ILOMs(virtual/floating addresses aswell as physical addresses)
Infiniband
ZFS ILOM
Cell Node ILOM
TCP/443 Monitoring configuration andfault diagnostic collection
HTTPS Primary Domains Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
HTTPS - ZFS agent Oracle AdvancedSupport Gateway
ZFS Controllers TCP/215 OEM plug-in communication toZFS for monitoring
SSH Oracle AdvancedSupport Gateway
Infiniband
ZFS Controllers
ZFS ILOM
TCP/22 Monitoring configuration, faultdiagnostics and patching
Oracle Advanced Support Gateway Security Guide 31
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) Network Protocol/Port
Purpose
SPARC Server ILOMs(Virtual/Floating addresses aswell as Physical addresses)
Cell Node ILOM
Cell Node
PDU
All Domains
Zones based on monitoringservice
HTTP/HTTPS Oracle AdvancedSupport Gateway
PDU TCP/80 (HTTP)
Or
TCP/443 (HTTPS)
PDU web interface formonitoring configuration anddiagnostics
SSH/Telnet Oracle AdvancedSupport Gateway
Cisco Switch (older switchessupport only Telnet)
TCP/22 (SSH)
Or
TCP/23 (Telnet)
Monitoring configuration, faultdiagnostics and patching
SQL Oracle AdvancedSupport Gateway
Database domains/zones
Client/VIPNote - if a database is onlylistening on a Client/VIP,access to this interface mustalso be allowed.
DB listener port,default is TCP/1521
DB listener port for discoveryand ongoing monitoringNote - This is not required forPlatinum Services customers.
RCMP+ Oracle AdvancedSupport Gateway
SPARC Server ILOMs(virtual/floating addresses aswell as physical addresses)
Cell Node ILOM
ZFS ILOM
UDP/623, TCP/623 Management and monitoringusing ILOM interface (IPMI)
WebLogic Oracle AdvancedSupport Gateway
WebLogic instances TCP/7001-7002 Monitoring install anddiagnostics collection
HTTPS (OEMAgent)
All Domains
Zones based onmonitoring service
Oracle Advanced SupportGateway
TCP/1159 OEM agent communicationto Oracle Advanced SupportGatewayNote - For SuperCluster,customers must add staticroutes to force all traffic withOracle Advanced SupportGateway as its destination touse the Management Networkas a primary interface forcommunication. The static route
32 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) Network Protocol/Port
Purpose
must be permanent because inthe event of any restart of thenodes, the route will be deletedand communication betweenthe agents and Oracle AdvancedSupport Gateway will go down.
SNMP Primary Domains
Infiniband
PDU
Cisco Switch
SPARC Server ILOMs(virtual/floatingaddresses as well asphysical addresses)
Cell Node
Cell Node ILOM
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring events
HTTP Primary Domains Oracle Advanced SupportGateway
TCP/5555 Solaris Explorer uploads forautomatic uploads for events
HTTPS Primary Domains Oracle Advanced SupportGateway
TCP/8234 ASR Manager to communicatewith ASR Assets
HTTPS Oracle AdvancedSupport Gateway
SuperCluster Control Domain TCP/8000 Access to the IO DomainCreation Tool for Monitoringand log file collection
ZFS Phone Home ZFS Controllers asr-services.oracle.com
inv-cs.oracle.com
transport.oracle.com
Or
Proxy IP
TCP/443 or proxyport
ZFS Phone Home can alsosupport an internet proxy
Direct access or proxy to:
129.157.65.13
129.157.65.14
141.146.1.169
ZFS Phone Home ZFS Controllers Oracle Advanced SupportGateway
TCP/8000 Gateway hosting a proxy server
Firewall Rules Between the Gateway and Exalytics
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Exalytics In-Memory Machine.
Oracle Advanced Support Gateway Security Guide 33
Firewall Rules for Internal Traffic
TABLE 11 Firewall Rules Between the Gateway and Exalytics
Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose
ICMP All monitoredinterfaces
Oracle Advanced SupportGateway
ICMP Type 0 and 8 Used to test networkconnectivity betweencustomer systems and theGateway
ICMP Oracle AdvancedSupport Gateway
All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customersystems
SNMP Oracle AdvancedSupport Gateway
Exalytics and ExalyticsILOM
UDP/161 SNMP for ASR telemetry
ASR Oracle AdvancedSupport Gateway
Exalytics and ExalyticsILOM
TCP/6481 ASR for discovery andmonitoring by service tags
HTTPS Exalytics CDom Oracle Advanced SupportGateway
TCP/8234 ASR Manager tocommunicate with ASRAssets
OEM Oracle AdvancedSupport Gateway
Exalytics Domains andDomU
TCP/1830-1839 OEM Agent communication,typically 1830 is used forOracle Services
SSH Oracle AdvancedSupport Gateway
Exalytics Domains, DomU,Dom0, and ILOM
TCP/22 Monitoring configuration,fault diagnostics and patching
SNMP Exalytics CDom andILOM
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring eventsand/or network monitoring
HTTPS (OEM Agent) Exalytics Domains andDomU
Oracle Advanced SupportGateway
TCP/1159 OEM agent communicationto Oracle Advanced SupportGateway
RCMP+ Oracle AdvancedSupport Gateway
Exalytics ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)
HTTPS Oracle AdvancedSupport Gateway
Exalytics and ExalyticsILOM
TCP/443 Monitoring configuration andfault diagnostic collection
HTTPS Exalytics Domains,DomU, and Dom0
Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
Firewall Rules Between the Gateway and OracleDatabase Appliance
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Database Appliance.
34 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
TABLE 12 Firewall Rules Between the Gateway and Oracle Database Appliance
Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose
ICMP All monitoredinterfaces
Oracle Advanced SupportGateway
ICMP Type 0 and 8 Used to test networkconnectivity betweencustomer systems and theGateway
ICMP Oracle AdvancedSupport Gateway
All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customersystems
SNMP Oracle AdvancedSupport Gateway
DB, Compute Node, andCompute Node ILOM
UDP/161 SNMP for ASR telemetry
ASR Oracle AdvancedSupport Gateway
DB, Compute Node, andCompute Node ILOM
TCP/6481 ASR for discovery andmonitoring by service tags
OEM Oracle AdvancedSupport Gateway
DB, DomU, or ComputeNode
TCP/1830-1839 OEM Agent communication,typically 1830 is used forOracle Services
SSH Oracle AdvancedSupport Gateway
DB, DomU, ComputeNode, and Compute NodeILOM
TCP/22 Monitoring configuration,fault diagnostics and patching
SNMP DB, Compute Node,and Compute NodeILOM
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring eventsand/or network monitoring
HTTPS (OEM Agent) DB, DomU, andCompute Node
Oracle Advanced SupportGateway
TCP/1159 OEM agent communicationto Oracle Advanced SupportGateway
RCMP+ (IPMI) Oracle AdvancedSupport Gateway
Compute Node ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)
HTTPS Oracle AdvancedSupport Gateway
DB or Compute NodeILOM
TCP/443 Monitoring configuration andfault diagnostic collection
HTTPS DB, DomU, andCompute Node
Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
Firewall Rules Between the Gateway and OracleBig Data Appliance
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle Big Data Appliance.
Oracle Advanced Support Gateway Security Guide 35
Firewall Rules for Internal Traffic
TABLE 13 Firewall Rules Between the Gateway and Oracle Big Data Appliance
Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose
ICMP All monitoredinterfaces
Oracle Advanced SupportGateway
ICMP Type 0 and 8 Used to test networkconnectivity betweencustomer systems and theGateway
ICMP Oracle AdvancedSupport Gateway
All monitored interfaces ICMP Type 0 and 8 Used to test networkconnectivity between theGateway and customersystems
SNMP Oracle AdvancedSupport Gateway
Infiniband
PDU
Cisco Switch
Compute Node ILOM
DomU, or Compute Node
UDP/161 SNMP for ASR telemetry
ASR Oracle AdvancedSupport Gateway
Infiniband
Compute Node
Compute Node ILOM
TCP/6481 ASR for discovery andmonitoring by service tags
OEM Oracle AdvancedSupport Gateway
DomU
Or
Compute Node
TCP/1830-1839 OEM Agent communication,typically 1830 is used forOracle Services
SSH Oracle AdvancedSupport Gateway
Infiniband
DomU
Compute Node ILOM
PDU
TCP/22 Monitoring configuration,fault diagnostics and patching
SNMP Infiniband
PDU
Cisco Switch
Compute Node ILOM
Compute Node
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring eventsand/or network monitoring
HTTPS (OEM Agent) Compute Node
DomU
Oracle Advanced SupportGateway
TCP/1159 OEM agent communicationto Oracle Advanced SupportGateway
RCMP+ (IPMI) Oracle AdvancedSupport Gateway
Compute Node ILOM UDP/623, TCP/623 Management and monitoringvia ILOM interface (IPMI)
36 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose
HTTPS Oracle AdvancedSupport Gateway
Compute Node ILOM
Infiniband
TCP/443 Monitoring configuration andfault diagnostic collection
HTTPS Compute Node
DomU
Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
SSH/Telnet Oracle AdvancedSupport Gateway
Cisco Switch (olderswitches support onlyTelnet)
TCP/22 (SSH)
Or
TCP/23 (Telnet)
Monitoring configuration,fault diagnostics and patching
HTTP Oracle AdvancedSupport Gateway
PDU TCP/80 (HTTP)
TCP/443 (HTTPS)
PDU web interface formonitoring configuration anddiagnostics
HTTP/HTTPS Oracle AdvancedSupport Gateway
Cloudera Manager TCP/7180 (HTTP)
Or
TCP/7183 (HTTPS)
Cloudera Manager webinterface for monitoringconfiguration and diagnostics.
The Cloudera Manager mustbe HTTPS or HTTP. Thecustomer may change thedefault ports.
Firewall Rules Between the Gateway and OracleStandalone Hosts
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle standalone hosts.
TABLE 14 Firewall Rules Between the Gateway and Oracle Standalone Hosts
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
SNMP Oracle Advanced SupportGateway
Host
Host ILOM (If Oracle Hardware)
UDP/161 SNMP for ASR telemetry
OEM Oracle Advanced SupportGateway
Host TCP/1830-1839
OEM agent communication,typically 1830 is used for OracleServices
Oracle Advanced Support Gateway Security Guide 37
Firewall Rules for Internal Traffic
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ASR Oracle Advanced SupportGateway
Host
Host ILOM (If Oracle Hardware)
TCP/6481 ASR for discovery and monitoringby service tags
SSH Oracle Advanced SupportGateway
Host
Host ILOM (If Oracle Hardware)
TCP/22 Monitoring configuration, faultdiagnostics and patching
SNMP Host
Host ILOM (If OracleHardware)
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring events and/ornetwork monitoring
HTTPS(OEMAgent)
Host Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support Gateway
RCMP+ Oracle Advanced SupportGateway
Host
Host ILOM (If Oracle Hardware)
UDP/623,TCP/623
Management and monitoring usingILOM interface (IPMI)
HTTPS Oracle Advanced SupportGateway
Host
Host ILOM (If Oracle Hardware)
TCP/443 Monitoring configuration and faultdiagnostic collection
HTTPS Host Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
HTTPS -ZFS agent
Oracle Advanced SupportGateway
ZFS Controllers TCP/215 OEM plug-in communication to ZFSfor monitoring
HTTPS Primary Domain
Host
Oracle Advanced SupportGateway
TCP/8234 ASR Manager to communicate withASR Assets
ZFS PhoneHome
ZFS Controllers asr-services.oracle.com
inv-cs.oracle.com
transport.oracle.com
Or
Proxy IP
TCP/443 orproxy port
ZFS Phone Home can also supportan internet proxy
Direct access or proxy to:
■ 129.157.65.13■ 129.157.65.14■ 141.146.1.169
ZFS PhoneHome
ZFS Controllers Oracle Advanced SupportGateway
TCP/8000 Gateway hosting a proxy server
Firewall Rules Between the Gateway and OracleThird-Party Hosts
This section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and Oracle third-party hosts.
38 Oracle Advanced Support Gateway Security Guide • May 2018
Firewall Rules for Internal Traffic
Note - ILOMs on non-Oracle hardware can be monitored by Oracle Advanced Monitoring andResolution. ILOMs on non-Oracle hardware cannot be monitored by Oracle Platinum Servicesor Oracle Auto Service Request (ASR).
TABLE 15 Firewall Rules Between the Gateway and Third-Party Standalone Hosts
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
SNMP Oracle Advanced SupportGateway
Host
Host ILOM (if Oracle hardware)
UDP/161 SNMP for ASR telemetry
OEM Oracle Advanced SupportGateway
Host TCP/1830-1839
OEM agent communication,typically 1830 is used for OracleServices
SSH Oracle Advanced SupportGateway
Host TCP/22 SSH connection for implementationand ongoing support
SNMP Host
Host ILOM (if Oraclehardware)
Oracle Advanced SupportGateway
UDP/162 SNMP for monitoring events and/ornetwork monitoring
HTTPS(OEMAgent)
Host Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support Gateway
HTTPS Host Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
Firewall Rules Between the Gateway and Hosts tobe Monitored by ADSThis section provides a table showing the internal firewall rules between Oracle AdvancedSupport Gateway and hosts to be monitored by Oracle Advanced Database Support (ADS).
Note - Oracle Advanced Database Support (ADS), an Oracle service that offers database faultmonitoring with automatic service request submission, database security compliance reporting,proactive database health checks, and remote patch deployment, may be added to Platinumand non-Platinum systems for a fee. Please contact your Oracle representative for furtherinformation.
Oracle Advanced Support Gateway Security Guide 39
Firewall Rules for Internal Traffic
TABLE 16 Firewall Rules Between the Gateway and Hosts to be Monitored by Oracle Advanced Database Support(ADS)
ApplicationProtocol
Source Interface(s) Destination Interface(s) NetworkProtocol/Port
Purpose
ICMP All monitored interfaces Oracle Advanced SupportGateway
ICMP Type 0and 8
Used to test network connectivitybetween customer systems and theGateway
ICMP Oracle Advanced SupportGateway
All monitored interfaces ICMP Type 0and 8
Used to test network connectivitybetween the Gateway and customersystems
SSH Oracle Advanced SupportGateway
Host TCP/22 SSH connection for implementationand ongoing support
SQL Oracle Advanced SupportGateway
Host DB listenerport, default isTCP/1521
DB listener port for discovery andongoing monitoringNote - This is not required forPlatinum Services customers.
OEM Oracle Advanced SupportGateway
Host TCP/1830-1839
OEM agent communication,typically 1830 is used for OracleServices
HTTPS(OEMAgent)
Host Oracle Advanced SupportGateway
TCP/1159 OEM agent communication toOracle Advanced Support Gateway
HTTPS Host Oracle Advanced SupportGateway
TCP/443 Patch Download Service forpatching support.
ZFS, Exalogic, and SuperCluster ASR Endpoint IPAddress Changes
This section provides a table showing ZFS Storage Appliance Racked System, Exalogic, andSuperCluster ASR Endpoint IP address changes.
TABLE 17 ZFS Storage Appliance Racked System, Exalogic, and SuperCluster ASR Endpoint IP Address Changes
Service Used By Old IP Address New IP Address
inv-cs.oracle.com ZFS Controllers
Exalogic
SuperCluster
192.18.110.10 129.157.65.14
asr-services.oracle.com ZFS Controllers
Exalogic
SuperCluster
192.18.110.13 129.157.65.13
40 Oracle Advanced Support Gateway Security Guide • May 2018
Implementation Changes to a Customer System
Implementation Changes to a Customer SystemThis section outlines the changes made to a customer's system during the implementation ofOracle Gateway Enabled services, including Platinum Services, Business Critical Servicefor Systems, Lifecycle Support Services, and Advanced Monitoring and Resolution. OracleAdvanced Support Gateway runs Oracle Enterprise Manager Cloud Control to perform itsmonitoring. Oracle Enterprise Manager Cloud Control requires agents to be installed on hosts,and then uses various plug-ins to monitor those devices that cannot be monitored directly. Thissection describes the monitoring method for a device and the configuration to be performed.
Refer to the following sections:
■ “The Monitoring Matrix” on page 41■ “Implementation Impact on the Environment” on page 42■ “Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems
” on page 47
The Monitoring MatrixThis section provides a table of devices and shows how each device is monitored.
TABLE 18 Devices and their Associated Monitoring Methods
Device Monitor
Component CloudControlAgent
Plug-in Target Type SNMP Trap ASR
EngineeredSystem
Exadata Storage Cell No Oracle Exadata Storage Server Yes Yes
EngineeredSystem
Cisco Switch No Oracle Engineered System Cisco Switch Yes No
EngineeredSystem
Infiniband Switch No Oracle Infiniband Switch Yes No
EngineeredSystem
PDU No Oracle Engineered System PDU Yes No
EngineeredSystem
OVS Compute Node No Oracle Engineered System ILOM Server
Oracle Virtual Platform
Oracle Server
Yes Yes
EngineeredSystem
ZFS Array StorageHeads
No Oracle ZFS Appliance No Yes(configuredby thecustomer)
Oracle Advanced Support Gateway Security Guide 41
Implementation Changes to a Customer System
Device Monitor
Component CloudControlAgent
Plug-in Target Type SNMP Trap ASR
Exadata Database Node Yes Oracle Engineered System ILOM Server
Host
Yes Yes
Exalogic Physical ComputeNode
Yes Oracle Engineered System ILOM Server
Host
Yes Yes
Exalogic Exalogic Control VM Yes Host No No
SuperCluster Control Domains Yes Oracle Engineered System ILOM Server
Host
Yes Yes
SuperCluster Logical Domains Yes Yes No (coveredby ControlDomain)
Standalone Server (including otherEngineered System nodes and VMs, forexample: ODA, BDA, Exalytics)
Yes Oracle Engineered System ILOM Server(if Oracle hardware)
Host
Yes Yes
Standalone ZFS Array Storage Heads No Oracle ZFS Storage Appliance No Yes(configuredby thecustomer)
Axiom 600 No Oracle Axiom Yes Yes (CallHomeCustomerConfigured)
Implementation Impact on the Environment
The following sections describe the changes that are made to various types of system during theimplementation process:
■ Systems with an agent deployed. See “All Systems With An AgentDeployed” on page 43.
■ Engineered System. See “Engineered Systems” on page 44■ Engineered System Cisco Switch. See “Engineered System Cisco
Switches” on page 44.■ Engineered System Infiniband Switches. See “Engineered System Infiniband
Switches” on page 45.
42 Oracle Advanced Support Gateway Security Guide • May 2018
Implementation Changes to a Customer System
■ Engineered System PDU's. See “Engineered System PDU's” on page 45.■ OVS Compute Nodes. See “OVS Compute Nodes” on page 45.■ Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines /
Control Virtual Machines. See “Exalogic Compute Nodes (Physical Implementation) andExalogic Virtual Machines / Control Virtual Machines” on page 46.
■ ZFS Storage Array Storage Heads. See “ZFS Storage Array Storage Heads” on page 46.■ Pillar Axiom 600. See “Pillar Axiom 600 Storage Arrays” on page 47.
All Systems With An Agent DeployedThe following changes are made to every system on which an agent is deployed:
■ An entry is added to the /etc/hosts file for Oracle Advanced Support Gateway■ A new group is created on the operating system (OS) of the monitored server. The default
group name is orarom.■ A new user is created on the ILOM of the monitored server (if applicable). The default
username is orarom.■ A new user is added on the operating system (OS) (orarom) of the monitored server.■ The new OS user is added to the group that owns the Oracle Inventory.■ A new user is added into the group that owns the database diag directories that are listed in
the oratab file (required for monitoring databases and generating ADR packages)■ The Oracle Inventory directory is updated for group read/write permissions■ The Database diag directories are updated for group read/write permissions■ A directory (/opt/OracleHomes) is created for the agent information based on the
information provided in the Service Implementation Worksheet (SIW). The SIW is akey part of the planning, execution, and successful implementation of Oracle SupportedServices.
■ If permission to retain root privileges is given in the configuration worksheet, the sudoers orRBAC files are updated to allow the new OS user to execute commands as root
■ For Linux systems, the group of the /var/log/messages file is changed to the new group(orarom) if the group owner is root.This allows the agent user to be part of a group that can read the file and the group readpermission is granted. The agent user can then monitor the messages file. If the messagesfile is already owned by a different group, the new user is added to that group instead.
■ For Linux systems, the /etc/security/limits.conf file is updated to add the requiredsettings for the new user (orarom) to meet the agent requirements.
■ Agents are pushed from Oracle Advanced Support Gateway to the server using the newuser. The storage requirement for the agent is initially around 5GB.
■ Once the agents have been installed, the root.sh script for the agent is executed.
Oracle Advanced Support Gateway Security Guide 43
Implementation Changes to a Customer System
Root.sh creates or updates /etc/oragchomelist, creates /etc/init.d/gcstartup, creates/etc/init.d/lockgcstartup, and creates /etc/init.d/lockgcstartup.
■ For Solaris systems, the explorer tool may be scheduled to execute once per week at 11pPM on Sunday in root’s crontab.
■ For some Solaris systems, host-based fault telemetry is configured for ASR, either updatingsnmpd.conf or using asradm, and starting the required services.
■ ILOMs are configured to send SNMP traps to Oracle Advanced Support Gateway for allILOM detected faults of level minor or above for ASR.
Note - For Exadata Nodes, the ILOM rules are configured on the operating system of thenode using the Exadata CLIs (cellcli and dbmcli) rather than directly on the ILOM.
Note - For Exalogic Virtual Machines, a further file is copied from the physical host to /var/exalogic/info to define it as part of an Exalogic.
Engineered SystemsAn Engineered System has strict policies not to allow the creation of new users or thedeployment of agents on the OS.
The changes that are made to these systems are performed in three stages:
■ Create a user on the ILOM of the system to allow Oracle to access the ILOM and theconsole of the system during troubleshooting. The default username is orarom.
■ When the system is discovered by Oracle Enterprise Manager Cloud Control, it creates SSHkeys from the monitoring user on the database node(s) to the cellmonitor user within thestorage cell.
■ Update the snmpsubscribers in the cell software to send the traps to Oracle AdvancedSupport Gateway for ASR. This removes any current subscribers that have a type of ASR.
■ Update the notificationpolicy in the cell software to include "critical,warning,clear".■ Update the notificationmethod in the cell software to include snmp.
Engineered System Cisco SwitchesThe Cisco switch that is installed in the racks of an Engineered System is updated to send trapsto Oracle Advanced Support Gateway, and the SNMP server is enabled to send traps. Thecommunity string is entered if not already set.
44 Oracle Advanced Support Gateway Security Guide • May 2018
Implementation Changes to a Customer System
Engineered System Infiniband Switches
The Infiniband switches that are installed in the racks of an Engineered System are updatedto send traps to Oracle Advanced Support Gateway and a set of SSH keys is created to allowpassword-less login from the monitoring agent to the nm2user on the switch.
The SSH keys for Exadata and SuperCluster systems are configured at discovery time.For the other systems, these are created manually by the installation engineer during theimplementation prior to the target discoveries.
Engineered System PDU's
The PDU modules within the racks of an Engineered System are updated to send traps to OracleAdvanced Support Gateway, and the PDU thresholds are set to generate alerts based on thevalues from Oracle Engineering teams.
OVS Compute Nodes
The Oracle Virtual Server operating system that is used within an Engineered System that isrunning the virtualized stack has strict policies that do not allow the installation of agents on tothe systems. These nodes will have the ILOMs configured to send traps to the OASG for ASR.A user (orarom) will be created on the OVS Server and granted the following privileges in thesudoers file:
<user> ALL=/usr/sbin/xentop, /usr/sbin/dmidecode, /sbin/ethtool, /usr/bin/xenstore-ls, /usr/bin/xenstore-read, /usr/bin/xenstore-list, NOPASSWD: /usr/
sbin/xl, /usr/bin/ipmitool, /usr/sbin/xm, /usr/sbin/imageinfo
This list of commands is used by the Oracle Virtual Platform and Oracle Server target types toread information about the system and relay the information to OEM.
Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted.
Oracle Advanced Support Gateway Security Guide 45
Implementation Changes to a Customer System
Exalogic Compute Nodes (PhysicalImplementation) and Exalogic Virtual Machines /Control Virtual Machines
These types of system have limited storage space on the root filesystem. Installing an agent onthe root filesystem is deemed to put this limited space at risk. The implementation for thesesystems creates a project on the internal ZFS storage array in the rack and creates a filesystemfor each node or VM that has an agent installed.
The installation on the node/VM will then perform the following:
■ Update the (v)fstab to ensure the filesystem is mounted from the ZFS storage array at boottime.
■ Mount the filesystem on the required directory.■ Install and configure the Exalogic Lifecycle Toolkit, release 14.2.
Refer to the Exalogic Lifecycle Tools Note 1912063.1 on the My Oracle Support(MOS) website at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1912063.1.
■ A user (orarom) will be granted the following privileges in the sudoers file:
<user> ALL==/usr/sbin/dmidecode, /sbin/ethtool, NOPASSWD: /usr/bin/ipmitool, /usr/sbin/imageinfo
Note - The profile may be updated if the option for Oracle to retain sudo privilege isgranted.
ZFS Storage Array Storage Heads
The ZFS arrays are appliances that cannot have agents installed on them. Consequently, they aremonitored from another agent using a specific monitoring user. The changes that are carried outon both of the storage heads in a cluster are as follows:
■ Execute the workflow “Configure for Oracle Enterprise Manager”. This always has therecreateWorksheet setting enabled. If the oracle_agent user and role are already created,then the recreateUser setting is not enabled. Otherwise it is enabled. If the user is set to berecreated, the password used is a strong, randomly generated, 16-character password.
46 Oracle Advanced Support Gateway Security Guide • May 2018
Implementation Changes to a Customer System
Note - The customer can change the password on the oracle_agent user without affectingthe Oracle monitoring solution.
■ Create a new user for the Oracle monitoring solution using the role oracle_agent created bythe above workflow. The default username is orarom, but the name is customizable from theService Implementation Worksheet (SIW).
■ Enable advanced_analytics for the new user created above.
Pillar Axiom 600 Storage ArraysThe Axiom 600 storage array is an appliance that cannot have an agent installed on it.Consequently, it is monitored from another agent using a plug-in. A new user is created with aMonitor role for the plug-in to perform the connection and obtain the information. The defaultusername is orarom, but the name is customizable from the Service Implementation Worksheet(SIW).
Utilization Impact Risk of OEM Cloud ControlAgent on Monitored SystemsOracle's implementation is designed to be a low risk deployment using scripts to ensureconsistent deployments across all customer implementations. Furthermore, the implementationis validated for monitoring within Oracle test systems. Oracle makes no changes to customerapplications or files outside of the steps described in the relevant sections on impacts on theenvironment above.
The table below outlines the utilization impact that OEM has on the monitored systems.
TABLE 19 Utilization Impact of Oracle Enterprise Manager Cloud Control Agent on MonitoredSystems
Overhead Impact of the Oracle Tools in the Environment
Metric OEM 12c
CPU Utilization The OEM 12c Agent uses from 0.02% to 1% of CPUutilization.
The agent may utilize more CPU cycles, depending onthe number of processes or applications monitored.
Memory Utilization The OEM 12c Agent needs from 1GB to 2GB RAM tooperate correctly.
Oracle Advanced Support Gateway Security Guide 47
Server Prerequisites for Monitoring Deployment
Overhead Impact of the Oracle Tools in the Environment
Metric OEM 12cThe actual memory utilization of the agent variesdepending on the number of processes or applicationsmonitored.
Disk Space Utilization The OEM agent requires at least 2GB of free disk spacefor the installation files.
After installation is complete, the installation files areremoved. The installed OEM agent requires about 1GBof space initially. As the agent operates, disk spacegradually increases up to 5GB.
Backout Plan
If it is necessary for the installation to be rolled back, Oracle will:.
■ Shutdown the agents that have been configured;
■ Work with the customer to schedule a maintenance window to remove the agents and trapdestinations for all the devices configured for monitoring.
Server Prerequisites for Monitoring Deployment
This section outlines the methods used to provide Oracle with the necessary server access forimplementing monitoring on the Gateway. Refer to the following:
■ “Server Prerequisites for Monitoring Deployment” on page 48■ “Monitoring Access: an Overview” on page 49.■ “User Privileges” on page 49■ “Solaris 11 Initial Setup User RBAC Profile” on page 51■ “Solaris 10 Initial Setup User RBAC Profile” on page 53■ “Solaris sudo Profile” on page 54■ “Linux sudo Profile” on page 55
Server Prerequisites for Monitoring Deployment
For services that are performed using Oracle Enterprise Manager (OEM), agents must bedeployed to the systems. These systems must meet the pre-requisites for an EM agent as
48 Oracle Advanced Support Gateway Security Guide • May 2018
Server Prerequisites for Monitoring Deployment
described in the Package Requirements for Oracle Management Agent section of OracleEnterprise Manager Cloud Control Basic Installation Guide.
Monitoring Access: an OverviewIn general, there are three methods for providing Oracle the necessary access for implementingmonitoring:
■ Provide root access to all systems.■ Enable access using Role-based Access Control (RBAC). RBAC is a security feature
for controlling user access to tasks that would normally be restricted to the root role.By applying security attributes to processes and to users, RBAC can divide superusercapabilities among several administrators. This option is applicable only to systems runningthe Solaris operating system.
■ Provide access via sudo (superuser do). sudo is a program for operating systems suchas Linux and Solaris that allows users to run programs as another user- normally as thesystem’s superuser (root) - as specified in the /etc/sudoers file. This section outlines themethods used to provide Oracle with the necessary access for implementing monitoring onthe Gateway.
During activation of database services, the following users and accounts are used to monitor thedatabase:
■ For storage/cluster monitoring, the user asmsnmp is used;■ For database monitoring, the user dbsnmp is used;■ For standby database monitoring, the user sysdba is used.
Note - Passwords for all of the above users must be available during installation. They canbe entered by the customer into the Oracle Advanced Support Gateway user interface whenneeded.
User PrivilegesOracle requires that the user can execute the following commands using root privileges:
■ <Service EM Base Directory>/agent_home/core/12.1.0.5.0/root.sh
■ <Service EM Base Directory>/agent_home/core/12.1.0.4.0/root.sh
■ /opt/exalytics/asr/bda_mon_hw_asr.pl (Exalytics only)■ /opt/oracle/oak/bin/oakcli (Oracle Database Appliance only)■ /opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl (Exadata only)
Oracle Advanced Support Gateway Security Guide 49
Server Prerequisites for Monitoring Deployment
■ /opt/oracle.cellos/imageinfo (Exadata only)■ /opt/exalogic/usr/sbin/imageinfo (Exalogic only)■ /opt/oracle/dbserver/dbms/bin/dbmcli (Exadata and ZDLRA only)■ /opt/oracle/bda/bin/imageinfo (Big Data only)■ /opt/oracle/bda/bin/imageinfo (Big Data only)■ /opt/ipmitool/bin/ipmitool (Solaris only)■ /opt/ipmitool/sbin/ipmitool (Solaris only)■ /usr/bin/chmod
■ /usr/bin/chown
■ /usr/bin/chgrp
■ /usr/bin/crontab (Solaris only)■ /usr/bin/cp
■ /usr/bin/ex
■ /usr/bin/ipmitool
■ /usr/bin/grep
■ /usr/bin/ls
■ /usr/bin/mkdir
■ /usr/bin/rmdir
■ /usr/bin/passwd
■ /usr/bin/profiles (Solaris 11 only)■ /usr/bin/vim
■ /usr/bin/xenstore-list
■ /usr/lib/fm/notify/asr-notify (Solaris 11 only)■ /usr/sbin/dbmcli (Exadata and ZDLRA only)■ /usr/sbin/dmidecode (Linux only)■ /usr/sbin/groupadd
■ /usr/sbin/svcadm (Solaris only)■ /usr/sbin/useradd
■ /usr/sbin/usermod
■ /usr/sbin/xm
The user provided for the initial setup can be removed once the monitoring has been deployedand the agent user has been created. The agent user can be a user defined within a namingservice and a home directory mounted from an NFS server. However, the agent installationdirectory must be unique to each server to be monitored. If the agent user is configured as partof a naming service, then the user must belong to the group that owns the Oracle inventory onall of the servers. The deployment scripts will verify and enforce group write permissions on
50 Oracle Advanced Support Gateway Security Guide • May 2018
Server Prerequisites for Monitoring Deployment
any Oracle inventory directory that is discovered by using the /etc/oraInst.loc or the /var/opt/oracle/oraInst.loc files.
User Privileges for Exalogic Systems
If the user is part of a naming service and NFS mounts are to be defined (Exalogic systemsrequire NFS mounts), use NFSv4 rather than NFSv3. The configuration of NFSv4 is outsidethe scope of this service, but the new mounts are defined with the NFSv4 options, and thefollowing extra command must be added to the security profile, depending on OS:
■ /usr/sbin/mount (Linux)■ /sbin/mount (Solaris)
Note - The command paths are related to Solaris. For the Linux paths, please refer to thesudo settings for Linux.
Solaris 11 Initial Setup User RBAC ProfileThe user for the initial setup requires a profile built from the following configuration file:
set desc="ACS Service Profile"
add cmd=<Service EM Base>/agent_home/core/12.1.0.5.0/root.sh
set uid=0
end
add cmd=<Service EM Base>/agent_home/core/12.1.0.4.0/root.sh
set uid=0
end
add cmd=/opt/oracle.cellos/imageinfo
set uid=0
end
add cmd=/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl
set uid=0
end
add cmd=/opt/ipmitool/bin/ipmitool
set uid=0
end
add cmd=/opt/ipmitool/sbin/ipmitool
set uid=0
end
add cmd=/usr/bin/chmod
set uid=0
end
add cmd=/usr/bin/chown
set uid=0
Oracle Advanced Support Gateway Security Guide 51
Server Prerequisites for Monitoring Deployment
end
add cmd=/usr/bin/chgrp
set uid=0
end
add cmd=/usr/bin/crontab
set uid=0
end
add cmd=/usr/bin/cp
set uid=0
end
add cmd=/usr/bin/ex
set uid=0
end
add cmd=/usr/bin/vim
set uid=0
end
add cmd=/usr/bin/grep
set uid=0
end
add cmd=/usr/bin/ls
set uid=0
end
add cmd=/usr/sbin/groupadd
set uid=0
end
add cmd=/usr/bin/mkdir
set uid=0
end
add cmd=/usr/bin/rmdir
set uid=0
end
add cmd=/usr/bin/passwd
set uid=0
end
add cmd=/usr/bin/profiles
set uid=0
end
add cmd=/usr/lib/fm/notify/asr-notify
set uid=0
end
add cmd=/usr/sbin/svcadm
set uid=0
end
add cmd=/usr/sbin/useradd
set uid=0
end
add cmd=/usr/sbin/usermod
set uid=0
52 Oracle Advanced Support Gateway Security Guide • May 2018
Server Prerequisites for Monitoring Deployment
end
add cmd=/opt/exalogic/usr/sbin/imageinfo
set uid=0
end
If Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount isconfigured by Oracle, and the user must also have the following command added to the profile:
add cmd=/sbin/mount
set uid=0
end
To create the profile from the configuration file above, perform the following as root or as auser with permission to create new profiles:
profiles -p <Profile name> -f <configuration file>
usermod -P +<Profile name> <user>
This provides the required level of access to perform the creation of the user and groupdirectories, as well as setting the permissions on the Oracle inventory.
Solaris 10 Initial Setup User RBAC Profile
Solaris 10 RBAC configuration is controlled through files located in the /etc/securitydirectory. Append the following lines to the exec_attr file:
ACSSINITIAL:solaris:cmd:::<Service EM
Base>/agent_home/core/12.1.0.5.0/root.sh:uid=0
ACSSINITIAL:solaris:cmd:::<Service EM
Base>/agent_home/core/12.1.0.4.0/root.sh:uid=0
ACSSINITIAL:solaris:cmd:::/opt/ipmitool/bin/ipmitool:uid=0
ACSSINITIAL:solaris:cmd:::/opt/ipmitool/sbin/ipmitool:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chmod:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chown:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chgrp:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/crontab:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/cp:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/ex:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/vim:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/grep:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/groupadd:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/ls:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/mkdir:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/rmdir:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/passwd:uid=0
Oracle Advanced Support Gateway Security Guide 53
Server Prerequisites for Monitoring Deployment
ACSSINITIAL:solaris:cmd:::/usr/sbin/svcadm:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/useradd:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/usermod:uid=0
If Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount isconfigured by Oracle, and the user must also have the following command added to the profile:
ACSSINITIAL:solaris:cmd:::/sbin/mount:uid=0
Append the following line to the prof_attr file:
ACSSINITIAL:::Oracle Install Profile:
Once these entries have been added, update the user that will be used for the initial installationto allow access to the profile:
usermod -P ACSSINITIAL <user>
Solaris sudo Profile
For Solaris users, add the following entries to the sudoers file:
Cmnd_Alias ACSSINSTALL = /usr/bin/chmod, /usr/bin/chown, \
/usr/bin/chgrp, /usr/bin/crontab, /usr/bin/cp, \
/usr/bin/ex, /usr/bin/grep, /usr/sbin/groupadd, \
/usr/bin/ls, /usr/bin/mkdir, /usr/bin/passwd, \
/usr/bin/profiles, /usr/lib/fm/notify/asr-notify, \
/usr/bin/rmdir, /usr/sbin/svcadm,/usr/sbin/asradm, \
/usr/sbin/useradd, /usr/sbin/usermod, \
<ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\
<ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\
/opt/ipmitool/bin/ipmitool, /opt/ipmitool/sbin/ipmitool, \
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \
/opt/oracle.cellos/imageinfo, \
/opt/exalogic/usr/sbin/imageinfo
<user> ALL=(ALL) ACSSINSTALL
The user must also have the sudo binary in their path to allow it to execute without a full path.
If the OEM agents are installed using an NFS mount that is to be configured by Oracle, then theuser must also have the following command alias created as assigned to the user:
Cmnd_Alias ACSSHAREDINSTALL = /sbin/mount
<user> ALL=(ALL) ACSSHAREDINSTALL
54 Oracle Advanced Support Gateway Security Guide • May 2018
Storage Prerequisites for Monitoring Deployment
Linux sudo Profile
For Linux users, add the following entries to the sudoers file:
Cmnd_Alias ACSSINSTALL = /bin/chmod, /bin/chown, \
/bin/chgrp, /bin/cp, /bin/ex, \
/bin/grep, /bin/ls, /bin/mkdir, /bin/rmdir, \
/opt/exalytics/asr/bda_mon_hw_asr.pl, \
/usr/bin/passwd, /usr/sbin/groupadd, \
/usr/sbin/useradd, /usr/sbin/usermod, \
/usr/bin/ipmitool, /usr/bin/xenstore-list, \
/opt/oracle/oak/oakcli, /usr/sbin/dmidecode, \
/opt/exalytics/asr/bda_mon_hw_asr.pl, \
<ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\
<ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \
/opt/oracle.cellos/imageinfo, \
/opt/oracle/dbserver/dbms/bin/dbmcli, \
/opt/exalogic/usr/sbin/imageinfo, \
/usr/sbin/imageinfo, /usr/sbin/xm, \
/opt/oracle/bda/bin/imageinfo
<user> ALL=(ALL) ACSSINSTALL
The user must also have the sudo binary in their path to allow it to execute without a full path.
If Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount isconfigured by Oracle, and the user must also have the following command added to the profile:
Cmnd_Alias ACSSHAREDINSTALL = /bin/mount
<user> ALL=(ALL) ACSSHAREDINSTALL
Storage Prerequisites for Monitoring Deployment
This section outlines storage requirements for the monitoring deployment. Refer to thefollowing sections:
■ “Monitoring Deployment: an Overview” on page 56■ “Oracle ZFS Storage Appliances” on page 56
Oracle Advanced Support Gateway Security Guide 55
Storage Prerequisites for Monitoring Deployment
Monitoring Deployment: an Overview
The storage systems do not have the same privilege promotion capabilities as the servers do;each storage system has a different method of granting access privileges. There are 3 options toprovide Oracle with the necessary access for implementing monitoring:
■ Provide administrator access to the system.■ For some systems, create a user with the necessary privileges for Oracle to configure a new
user for monitoring.■ Create the monitoring user per the system requirements.
For information on which options are available for the various storage systems, refer to thefollowing sections.
Oracle ZFS Storage Appliances
The information in the following sections defines the properties for the users used in thedeployment of monitoring and the standard monitoring users. Further privileges are required forpatching the systems during a patch cycle. Refer to the following sections:
■ “Restricted User for Monitoring Deployment (AKSH Shell)” on page 56■ “Monitoring User Requirements” on page 57■ “Restricted User for Monitoring Deployment User (ILOM)” on page 57■ “Monitoring User Requirements (ILOM)” on page 57
Restricted User for Monitoring Deployment (AKSH Shell)
You can create a user with the following privileges to be used during the monitoringdeployment:
TABLE 20 Privileges for a Restricted User for Monitoring Deployment
Object Permissions
worksheet.*.* modify
stat.* ■ read■ create
user.* ■ changePassword■ changePreferences■ changeProperties■ changeRoles
56 Oracle Advanced Support Gateway Security Guide • May 2018
Audit Logging
Object Permissions■ create
workflow.*.* read
role.* ■ changeAuths■ changeDescription■ create
Monitoring User Requirements
You can create the monitoring user using the following high level steps:
■ Execute the workflow outlined in the section “Configure for Oracle Enterprise ManagerMonitoring”, ensuring to select creation of the worksheet.
■ Create a new user for monitoring.■ Assign the oracle_agent role to this user.■ Set the preferences for the user to enable Advanced Analytics.■ Add the stat.* create authorization to the oracle_agent role.
Restricted User for Monitoring Deployment User (ILOM)
You can create a user with the role of u to allow Oracle to create a new user for use with themonitoring.
Monitoring User Requirements (ILOM)
In order to provide monitoring and diagnostic collection on the ZFS ILOM, including initiatingan NMI to the host, the monitoring user requires the permissions cro.
Audit Logging
The audit logging feature of Oracle Advanced Support Gateway provides audit information forthree different categories of system events. The three categories are:
■ Outbound network connections: The Linux firewall service (iptables) triggers notificationsfor all outbound network traffic with the exception of traffic to Oracle managed hosts usedfor monitoring and management (for example, Oracle VPN end points, dts.oracle.com,support.oracle.com).
Oracle Advanced Support Gateway Security Guide 57
Audit Logging
■ Outbound login activity: The Linux auditing service (auditd) triggers notifications for alloutbound login attempts initiated from Oracle Advanced Support Gateway. This is doneby monitoring usage of the ssh and telnet system binaries. Oracle Advanced SupportGateway sends a message that ssh or telnet has been used, by which user, and when. Thedestination is not provided. auditd logs contain that information. auditd logs are not directlyaccessible by the customer on Oracle Advanced Support Gateway.
■ Inbound Oracle Advanced Support Gateway User Login Activity: The Linux auditingservice (auditd) triggers notifications each time any of the system logs used for trackinglogins is updated. This includes failed logins and successful login attempts. It also triggersa notification each time a user logs in from a remote system. These activities are monitoredusing auditd and forwarded to the customer's central logging system.
All audit notifications are delivered using standard syslog protocol. A central logging systemmust be provided to accept and process these messages.
The format of most of these messages is based on auditd. They can be managed using variousauditd and related utilities.
The audit logging feature is disabled by default, and must be explicitly enabled through theOracle Advanced Support Gateway command line interface (CLI). The details of how toconfigure this feature are explained in the following section:
Initial Login
1. Use ssh to connect to Oracle Advanced Support Gateway.Use the customer administrator account configured at installation time or any other userwith the customer administrator role.
2. At the first (CLI or CLISH) prompt, enter the password.3. At the next prompt enter configure terminal.4. At the next prompt enter syslog.
You are now in the syslog-specific section of the Oracle Advanced Support Gateway CLIwhere you can configure forwarding.
Available Commands
Command Description
help Display a list of available commands.
? Provide a brief explanation of how to enter commands in the CLI.
stat Display the current configuration.
This produces a display similar to the following:
------------- SyslogBroadcaster Configuration ------------
Message Forward Status = enabled
58 Oracle Advanced Support Gateway Security Guide • May 2018
Audit Logging
Command DescriptionHost IP Address = 1.2.3.4
Host Port Number = 514
Host Time Zone = GMT
firewall Message Forward = enabled
ssh Message Forward = enabled
session Message Forward = enabled
UID/GUID MapICMP Type 0 and 8 = enabled
-----------------------------------------------------------
forward enable Enable syslog forwarding.
forward disable Disable syslog forwarding.
ip <ip address> Enter the IP address of the remote syslog server (the one receiving the forwardedmessages.)
You must enter a valid IP address, not a host name.
port <port number> Change the port used for forwarding syslog messages.
timezone <value> Set the time zone used in the forwarded syslog messages.
The value must be in the range -12 to +12 which is the offset from Greenwich MeanTime (GMT.)
mapping enable
mapping disable
Convert the UID and GUID contained in each message to the corresponding UNIXuser and group name.
Enabling and Disabling Logging MessagesThis section outlines the commands to enable and disable logging messages, and providesexamples of the resulting messages.
In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname).In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced withuid=0 and gid=0.
Any combination of the following three categories can be enabled or disabled.
Outbound Network Connectivity
■ To enable or disable this type of message forwarding:
firewall enable
firewall disable
These messages are generated by iptables and represent all outbound network traffic with theexception of traffic to known addresses used for Oracle monitoring.
The following example shows messages as they are seen on the system that receives theforwarded syslog messages.
Oracle Advanced Support Gateway Security Guide 59
Audit Logging
Result from an nslookup command:
Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=jsmith GID=admin
Result from an ssh command:
Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=jsmith GID=admin
Outbound Login Activity
■ To enable or disable this type of message forwarding:
ssh enable
ssh disable
The following example shows a message as it is seen on the system that receives the forwardedsyslog messages.
Result from an ssh command:
Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1437567767.027:17839321): arch=c000003e syscall=59
success=yes exit=0 a0=124e030 a1=123d7f0 a2=1246d90 a3=10
items=2 ppid=22614 pid=25252 auid=54373 uid=jsmith gid=admin euid=54373
suid=54373 fsuid=54373 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594
comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="gateway_audit"
Oracle Advanced Support Gateway User Login Activity
■ To enable or disable this type of message forwarding:
session enable
session disable
The following examples show messages as they are seen on the system that receives theforwarded syslog messages.
Example of ssh being invoked on Oracle Advanced Support Gateway:
Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1
60 Oracle Advanced Support Gateway Security Guide • May 2018
Managing ASR Audit Logs
NA: sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes
exit=0 a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2
ppid=1428 pid=12967 auid=4294967295 uid=jsmith gid=admin euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key="SESSION"
Result from an su command on Oracle Advanced Support Gateway:
Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1
NA: sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes
exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1
ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0
egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="SESSION"
Managing ASR Audit Logs
This section describes how to manage Oracle Auto Service Request (ASR) audit logs for OracleAdvanced Support Gateway. It includes the following topics:
■ “About ASR Audit Logs” on page 61■ “Viewing ASR Audit Logs” on page 61■ “Downloading ASR Audit Logs” on page 62
About ASR Audit Logs
Oracle Auto Service Request (ASR) allows customers to restore system availability if ahardware fault occurs. ASR is a secure, expedited diagnostic process with automatic servicerequest generation, priority service request handling, and automatic parts dispatch.You canmaintain an ASR audit log that enables you to view, download, and search for audits.
Viewing ASR Audit Logs
The ASR Audit Log page enables you to view and maintain all of your organization’s OracleAdvanced Support Gateway ASR log entries, and to download cached log files.
Oracle Advanced Support Gateway Security Guide 61
Managing ASR Audit Logs
To view ASR audit log entries:
1. Log in to Oracle Advanced Support Gateway.The Oracle Advanced Support Gateway Home page appears.
2. From the Gateway menu, click ASR Audit Log.The ASR Audit Log page appears, displaying the following information for all entries in theASR Log Entries table:
TABLE 21 Field Definitions in the ASR Log Entries Table
Property Definition
# The number of the ASR log entry.
Time The time at which the ASR log entry was made.
UUID The UUID associated with the ASR log entry.
Site ID The site ID at which the ASR log entry was made.
Host ID The host ID at associated with the ASR log entry.
System ID The system ID associated with the ASR log entry.
Asset ID The asset ID associated with the ASR log entry.
Product Name The product name associated with the ASR log entry.
Status Indicates whether the ASR log entry status is:
■ Sent: The ASR log entry has been delivered to Oracle ASR Infrastructure
Downloading ASR Audit Logs
The ASR Audit Log page enables you to download cached log files.
To download ASR log entries:
1. Log in to Oracle Advanced Support Gateway.The Oracle Advanced Support Gateway Home page appears.
2. From the Gateway menu, click ASR Audit Log.The ASR Audit Log page appears.
3. Click Download Log Files.A list of timestamped ASR audit logs appears.
4. Click the required log to download it.5. Save the log to the required location.
62 Oracle Advanced Support Gateway Security Guide • May 2018