Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Enterprise Manager Security Best Practices

Similar presentations


Presentation on theme: "Oracle Enterprise Manager Security Best Practices"— Presentation transcript:

1

2 Oracle Enterprise Manager Security Best Practices
Huaqing Wang, Senior Product Manager, Oracle Ravi Pinnamaneni, Consulting Member of Technical Staff, Oracle

3 The following is intended to outline our general product direction
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4 <Insert Picture Here>
Agenda <Insert Picture Here> Oracle Enterprise Manager Overview Security Best Practices Managing Enterprise Manager Security using Enterprise Manager Q & A Appendix

5 <Insert Picture Here>
Agenda <Insert Picture Here> Oracle Enterprise Manager Overview Security Best Practices Managing Enterprise Manager Security using Enterprise Manager Q & A Appendix

6 Business-Driven IT Management
This slide explains the overall concept and operational architecture of “Business Driven IT Management” – a central theme of Oracle Enterprise Manager 11g Business-Driven IT Management has 3 major solution pillars: Pillar #1: Business Driven Application Management – provides correlated management of User Experience, Business Transactions and Business Services – allows users to identify business issues, understand business needs, and manage from business perspective. Pillar #2: Integrated Application to Disk & Cloud Management – provides complete and integrated management of Oracle’s SW+HW stack, and private clouds – enables enterprises to eliminate management silos, and create agile IT for dynamic business. Pillar #3: Integrated Systems Management & Support – provides integration with Services Cloud, including Oracle’s Support Portal (MyOracleSupport.com) – allows users to proactively identify and fix problems, and maximize business productivity. [Staging for the next slide..] This completes a quick overview of the Business-Driven IT Management and its three major solution pillars. For rest of the presentation, we will zoom into and focus on pillar xxx … -j © 2010 Oracle Corporation 6

7 Enterprise Manager Security Certification Common Criteria EAL 4+
Enterprise Manager security feature development process rigorously vetted and certified by independent government agency Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC on Aug., 27, 2010 Comprehensive evaluation process took 2+ years to complete EAL4+ is highest mutually recognized level among governments worldwide

8 Oracle Enterprise Manager Architecture Overview
Oracle Management Service Repository Agent Grid Control Console Oracle Management Agent (Management Agent) An integral software component deployed on each monitored host Responsible for monitoring and managing the hosts and all the targets running on those hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS)

9 Oracle Enterprise Manager Architecture Overview
Oracle Management Service Repository Agent Grid Control Console Oracle Management Service (OMS)  J2EE Web application that orchestrates with Oracle Management Agents to discover targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis Renders the user interface for the Grid Control Console

10 Oracle Enterprise Manager Architecture Overview
Oracle Management Service Repository Agents Grid Control Console Oracle Management Repository (Management Repository) An Oracle database where all the information (metrics, configurations, etc.) collected by the Oracle Management Agents gets stored

11 Oracle Enterprise Manager Architecture Overview
Oracle Management Service Repository Agent Grid Control Console Grid Control Console A web user interface from where you can monitor and administer your entire computing environment

12 <Insert Picture Here>
Agenda <Insert Picture Here> Oracle Enterprise Manager Overview Security Best Practices Managing Enterprise Manager Security using Enterprise Manager Q & A Appendix

13 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation

14 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation Interrupted/Stolen Management Agent OMS Data confidentiality and integrity Not disclosed to any entities unless they are authorized to access Not changed, destroyed, or lost in unauthorized or accidental manner Man-in-the-Middle attacks Interrupts, intercepts, modifies or fabricates data in transit

15 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation OMS Management Agent Hacker Data Availability Available and usable upon demand by an authorized entity Denial-of-Service attacks Makes Management Repository or OMS unavailable to intended users by flooding them with more requests than they can handle

16 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation Authentication The process to verify the identity, usually username and password, claimed by a user Password crack attacks Obtains password from an authentication exchange, then uses the password to log on to Enterprise Manager Grid Control For examples: guess, dictionary and brute force attacks

17 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation Segregation of duties No person should be given responsibility for more than one related function Exploitation of authorization Accesses resources (targets, jobs, templates and so on) that he/she should not be authorized to

18 Enterprise Security Considerations and Threats
Security Threat Data confidentiality and integrity Man-in-the-Middle attacks Data availability Denial-of-Service attacks Authentication Password crack attacks Segregation of duties Exploitation of authorization Non-repudiation Repudiation Non-repudiation Network security: Neither sender nor recipient can later deny having processed the information Web Application security: No one can later deny the actions he/she has taken in the application Repudiation Refuses authoring of something that happened

19 Oracle Enterprise Manager Security Overview
Enterprise Manager Infrastructure Security Authentication, Authorization and Audit – The Three A’s Security of target authentications

20 Enterprise Manager Infrastructure Security
Oracle Management Repository Enterprise Manager Infrastructure Security Securing individual Enterprise Manager components Securing communication Oracle Management Service Grid Control Console Management Agent Database Application Host

21 Infrastructure Security Best Practices Securing Enterprise Manager Components
Harden the machines on which OMS and Management Repository reside Remove unsecure services such as FTP, telnet, rlogin and so on Close UDP and TCP ports for services that are disabled Apply all security patches Always apply latest relevant CPUs for OS, Oracle Database, Oracle Weblogic Server, OMS and Agents Use privilege delegation tool such as sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes Disable owner account , “oracle”, direct log in to hosts Allow normal users to perform administrative tasks without disclosing password of privileged user Oracle Management Service Repository Agent Grid Control Console

22 Infrastructure Security Best Practices Oracle Management Repository
Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist) Restrict operation system access Limiting the number of OS users with access on Oracle Database host Restricting the ability for these users to modify the default file/directory permissions of Oracle Home Restrict network access to the Repository Check Network IP Address to allow the access to Oracle Database only from authorized nodes Configure $TNS_ADMIN/protocol.ora file tcp.validnode_checking=yes tcp.included_nodes={list of IP addresses} If Repository is the only database on the host, we can limit the nodes to OMS nodes only Please refer to the link for more information Oracle Management Service Repository Agent Grid Control Console Oracle database Security Checklist is a 16-page whitepaper, which lists all the security best practices for Oracle database in details.

23 Infrastructure Security Best Practices Oracle Management Service
Follow best practices for securing Oracle Weblogic Server (Securing the Production Environment for Oracle Weblogic Server) Protect WebLogic Server Home directory especially domain directory which contains configuration files, security files, log files and other Java EE resources for the Weblogic domain. Grant only one OS user who runs Weblogic Server the access privilege to the directory Create no fewer than two user accounts with system administrator privileges To ensure one user maintains account access in case another user becomes locked out by a dictionary/brute force attack Please refer to for more information Oracle Management Service Repository Agent Grid Control Console

24 Infrastructure Security Best Practices Oracle Management Agent
Service Repository Agent Grid Control Console Deploy agent via pushing agents from OMS Secure Shell (SSH) protocol is used in this approach, which ensures the confidentiality and integrity of agent installation Use complex one-time registration passwords with reasonable expiry date Registration password combined with random keys generated by OMS and agent is used to produce agent key to register and secure the agent Protect against the possibility of unauthorized agents accessing OMS

25 Oracle Enterprise Manager Security Overview
Oracle Management Repository Enterprise Manager Infrastructure Security Securing individual Enterprise Manager components Securing communication Oracle Management Service Grid Control Console Management Agent Database Application Host

26 Infrastructure Security Best Practices Securing Communication Overview
Oracle Management Repository Various communications within Enterprise Manager Between OMS and agent (Bidirectional) Between browsers and OMS Between OMS and Management Repository Between OMS and targets Communications in firewall environments Firewall Grid Control Console Oracle Management Service Management Agent Database Application Host

27 Infrastructure Security Best Practices Securing Communication Between OMS and Agents
Oracle Management Repository Securing communication between OMS and Agents (Bidirectional) It is secure locked out-of-box ( and after), which means the communication is only over HTTPS Security aspects of communication over HTTPS What secure protocol is used Secure Socket Layer (SSL) v3 Transportation Layer Security (TLS) v1 What strong cipher suites are used Is certificate from well-known Certificate Authority (CA) Grid Control Console Oracle Management Service Management Agent Database Application Host

28 Infrastructure Security Best Practices Securing communication
Enable TLS v1 only for communication between OMS and Management Agents OMS: emctl stop oms emctl secure oms -protocol TLSv1 Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh. emctl start oms Agent: Update $Agent_Home/sysman/config/emd.properties allowTLSonly=true Oracle Management Repository Grid Control Console Oracle Management Service TLS v1 Oracle Management Agent

29 Infrastructure Security Best Practices Securing Communication Overview
Oracle Management Repository Various communications within Enterprise Manager Between OMS and agent (Bidirectional) Between browsers and OMS Between OMS and Management Repository Between OMS and targets Communications in firewall environments Firewall Grid Control Console Oracle Management Service Management Agent Database Application Host

30 Infrastructure Security Best Practices Configuring Enterprise Manager for Firewalls
Oracle Management Repository Firewalls are commonplace in most mature and modern IT infrastructures Two areas where Enterprise Manager and firewalls will interact Navigate between Enterprise Manager components separated by firewalls Communicate with managed targets that are behind firewalls Enterprise Manager is designed to cope with both cases but…. …this is one of the least understood areas when deploying Enterprise Manager in a secure environment Firewall Grid Control Console Oracle Management Service Management Agent Database Application Host 30

31 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Oracle Management Repository Best Practices: Get firewalls into first design of the solution Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment, e.g., HTTP/HTTPS for communication between OMS and Agents SQL*Net for the communication between OMS and Oracle Database targets ICPM and UDP for the communication between beacons and managed targets Consider placement of OMSs when laying down your Enterprise Manager topology Work closely with the network team on design of groups and Access Control List (ACL) for groups of targets Firewall Grid Control Console Oracle Management Service Management Agent Database Application Host

32 Infrastructure Security Best Practices Configuring Enterprise Manager for Firewalls
Oracle Management Repository Lots of different permutations with Enterprise Manager when dealing with Firewalls…. Configuring agents on a host protected by a firewall Configuring OMS on a host protected by a firewall Firewalls between OMS and OMR Firewall between your browser and Grid Grid Control Firewalls between the Grid Control and a managed database target Firewalls used with multiple OMS …… Let’s take a tour through some of these Firewall Grid Control Console Oracle Management Service Management Agent Database Application Host 32

33 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Configure Oracle Management Agent on a host protected by a firewall Configure Oracle Management Agent to use proxy server for its upload to OMS Update the following parameters in file $AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domain REPOSITORY_PROXYPORT =port If authentication is required, edit the following parameters as well REPOSITORY_PROXYREALM=realm REPOSITORY_PROXYUSER=proxyuser REPOSITORY_PROXYPWD=proxypassword Configure firewall to allow inbound communication from OMS to Agent Port 3872 (default) Port range (non-default) Oracle Management Repository Grid Control Console Oracle Management Service Firewall Oracle Management Agent Oracle Management Agent

34 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Configure Oracle Management Service on a host protected by a firewall Configure OMS to use proxy server for its communication to agents outside the firewall Update the following OMS properties via emctl set property command: emctl set property –name <property> -value <value> PROXYHOST=proxyhostname.domain PROXYPORT =port If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hosts dontPROXYFor = hostname1,hostname2 Configure firewall to allow inbound communication from Agents to OMS Default HTTP/HTTPS Ports: 4889/1159 Non-default port range / Oracle Management Repository Grid Control Console Oracle Management Service Firewall Oracle Management Agent

35 Oracle Enterprise Manager Security Overview
Enterprise Manager Infrastructure Security Authentication, Authorization and Audit – The Three A’s Security of target authentications

36 Authentication, Authorization and Auditing The Three A’s
Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control Authorization Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. Audit Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Audit Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

37 Authentication, Authorization and Auditing The Three A’s
Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control Authorization Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. Audit Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Audit Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

38 The Three A’s Best Practices Authentication
Repository-based authentication (Default) Use password profile to enforce the password control such as password complexity, failed login attempt, password reuse max, password life time, etc. Leverage Grid Control user authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS) Simplify the identity management across the enterprise Both SSO and EUS enable your users to authenticate to Grid Control by using their credentials stored in LDAP server OSSO LDAP Server EUS Default Oracle Management Repository(OMR) Oracle Enterprise Manager

39 The Three A’s Best Practices Authentication
Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository UPDATE MGMT_CREATED_USERS SET SYSTEM_USER=’-1’ WHERE user_name=’SYSMAN’ If you want to enable SYSMAN logging into Grid Control Console later on: UPDATE MGMT_CREATED_USERS SET SYSTEM_USER=’1’ WHERE user_name=’SYSMAN’ Change password for both SYSMAN and MGMT_VIEW on a regular basis Prevent password crack attacks emctl config oms -change_repos_pwd -change_in_db emctl config oms –change_view_user_pwd

40 Authentication, Authorization and Auditing The Three A’s
Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control Authorization Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. Audit Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Audit Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

41 The Three A’s Best Practices Authorization Overview
Oracle Enterprise Manager Target Connect to target Target Authorization Two-step authorization process enables fine-grained access and segregation of duties: Enterprise Manager authorization Controls the access to the resources and functionalities within Enterprise Manager Manage target metrics thresholds Set alert notification rules Enable/disable Enterprise Manager packs Target authorization Controls the access to the resources and functionalities within the target CREATE new TABLE Back-up database Tune SQL Enforced by target security model Depends on the credential used to connect to the target Oracle Enterprise Manager Enterprise Manager Authorization Jobs, Templates Reports, etc Databases Applications Hosts Application Servers View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts ……

42 The Three A’s Best Practices Authorization Overview
SQLTuning DBA Example: Create new user, SQLTuningDBA, who is only responsible for tuning 2 of 100 managed database targets Enterprise Manager authorization Create EM user SQLTuningDBA Grant VIEW Target Privilege on the 2 DB targets of interest Target authorization Target credentials used should have the following database privileges select_any_catalog administer sql tuning set execute on dbms_workload_repository Oracle Enterprise Manager Connect as database user A Connect as database user B Database 1 Database 2 Databases

43 The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator should the new user be? Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators

44 The Three A’s Best Practices Enterprise Manager Authorization Overview
Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators What type of administrator should the new user be? Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., Should the user be able to VIEW any targets Should the user be able to ADD new targets? What System Privilege(s) should the user have?

45 The Three A’s Best Practices Enterprise Manager Authorization Overview
Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators What type of administrator should the new user be? Should the user only be able to monitor the databases of his own department? What System Privilege(s) should the user have? What target should the user be able to access? Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., Should the user be able to VIEW any targets Should the user be able to ADD new targets?

46 The Three A’s Best Practices Enterprise Manager Authorization Overview
Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators Enterprise Manager provides 7 Target Privileges, e.g., Should the user be able to blackout target 1, 2 and 3? Should the user be able to change metric threshold setting for target 4, 5 and 6? Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., Should the user be able to VIEW any targets Should the user be able to ADD new targets? Should the user only be able to monitor the databases of his own department?

47 The Three A’s Best Practices Enterprise Manager Authorization Overview
Enterprise Manager provides 7 Target Privileges, e.g., Should the user be able to blackout target 1, 2 and 3? Should the user be able to change metric threshold setting for target 4, 5 and 6? Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user? Privilege Propagating Group – Privileges granted on the group automatically granted on its members What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? Privilege Propagating Group Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., Should the user be able to VIEW any targets Should the user be able to ADD new targets? Should the user only be able to monitor the databases of his own department?

48 The Three A’s Best Practices Enterprise Manager Authorization Overview
Enterprise Manager provides 7 Target Privileges, e.g., Should the user be able to blackout target 1, 2 and 3? Should the user be able to change metric threshold setting for target 4, 5 and 6? Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 Normal Enterprise Manager Administrator Has NO access to anything unless granted privileges Super Administrator Has FULL privileges on all targets and the ability to create Super Administrators Role If there are a set of users sharing the same responsibilities, do we have to grant all the individual privileges one by one to these users? Role -- Set of privileges What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user? Privilege Propagating Group – Privileges granted on the group automatically granted on its members Privilege Propagating Group Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., Should the user be able to VIEW any targets Should the user be able to ADD new targets? Should the user only be able to monitor the databases of his own department?

49 The Three A’s Best Practices Enterprise Manager Authorization
Reduce the number of Super Administrators Super Administrators have FULL privilege on all targets and could create additional Super Administrators Grant only the minimum set of privileges Follow the principle of least privilege to grant only the minimum set of privileges to the users to fulfill his responsibility Achieve segregation of duties and simplify authorization management Grant roles instead of individual privileges to users Use roles along with Privilege Propagating groups Monitor privilege/role operations through Enterprise Manager Auditing Oracle Enterprise Manager Authorization Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

50 Authentication, Authorization and Auditing The Three A’s
Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control Authorization Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. Audit Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Audit Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

51 The Three A’s Best Practices Audit
Extended actions audited by Enterprise Manager – 61 actions (33 new actions in 11g Release 1) For example, User login/logoff, and privilege granting/revoking, changes on monitoring template, changes on user defined policies, and database target start/stop/restart Built-in externalization service to purge audit data from Repository and export to external file system automatically emcli update_audit_setting -file_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data_retention_period=<period in days> GUI interface to view and search audit data Setup ->Management Service and Repository -> Audit Data Oracle Enterprise Manager Authentication Audit Authorization Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

52 TheThree A’s Best Practices Audit
Enable Audit for EM Operations emcli enable_audit If you only care about a subset of actions, you can just enable the auditing for them emcli update_audit_settings –audit_switch=”ENABLE” –operations_to_enable=”LOGIN;LOGOUT” Configure the externalization service to purge the audit data from the Repository to an external file system on a regular basis. emcli update_audit_setting -directory="EM_DIR" -file_prefix="emgc_audit" -file_size=" " -data_retention_period="60“ Oracle Enterprise Manager Authentication Audit Authorization Jobs, Templates Reports, etc Databases Applications Hosts Application Servers

53 Oracle Enterprise Manager Security Overview
Enterprise Manager Infrastructure Security Authentication, Authorization and Audit – The Three A’s Security of target authentications

54 Security of Target Authentication Credential System
Credentials are typically username and password required to access targets such as databases, hosts, etc. Stored encrypted in Repository or Agent Usages of credentials: Collect metrics in the background as well as in real-time Perform jobs like Backup, Patching, Cloning, etc. Real-time target administration like start, stop,etc. Connect to My Oracle Support for patches Preferred credentials – per user basis Default credential – per target type Target credential – per target Target credential overrides default credential Enterprise Manager Grid Control Enterprise Manager Users Oracle Management Repository Oracle Management Service Credentials are stored encrypted Target Authentication Agent Agent Agent Database Application Server Applications Solaris Linux Windows Targets

55 Target Authentication Best Practices Credential System
Do not set preferred credentials for group/common accounts, e.g., SYSMAN. The following SQL statement gives you the result of preferred credential setting: SELECT t.target_name,tc.user_name,tc.credential_set_name FROM MGMT_TARGET_CREDENTIALS tc, MGMT_TARGETS t WHERE tc.target_guid=t.target_guid Keep track of the operations on credential by enabling auditing the corresponding actions Use emcli verbs to synchronize credentials between Enterprise Manager and its database targets emcli update_db_password user_name=“DBUserName” change_at_target=yes Enterprise Manager Grid Control Oracle Management Repository Preferred Credentials UDM Collection Credentials Job Credentials Oracle Management Service Monitoring Credentials Management Agent Database User Database

56 Target Authentication Best Practices Host Target Authentication
1.WebIV Note: : How to Configure GC Agent for PAM and LDAP Configure Pluggable Authentication Module(PAM) to take advantage of rich authentication approaches to Host access Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity storage and management WebIV : How to configure Agent with PAM to support LDAP authentication Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager Enable users to perform administrative tasks without providing credentials for functional accounts

57 Threats vs. Best Practices
Security Threats Best Practices Man-in-the-Middle Attacks Securing the communication Enable TLS v1 protocol Configure firewalls …… Denial-of-Service Attacks Secure individual Enterprise Manager components Exploitation of Authorization Principle of least privileges Auditing the authorization actions Password crack Attacks Change password on a regular basis Enable password profile to enforce password control Repudiation Enable auditing for Grid Control actions

58 <Insert Picture Here>
Agenda <Insert Picture Here> Oracle Enterprise Manager Overview Security Best Practices Managing Enterprise Manager Security using Enterprise Manager Q & A Appendix

59 Oracle Enterprise Manager Manage its Own Security
Monitor its own security compliance Security policies Define the desired behaviors of systems in terms of security Security at a glance Provides an overview of the security health of the enterprise for all targets or specific groups Notification of violations , Page, SNMP Traps, etc. Fix its own security violations Corrective actions CPU Advisory Patching automation Connects to MOS to discover and pull in new patches Rapidly deploys security patches Monitor EM security compliance Fix EM security violations Oracle Enterprise Manager Oracle Management Service Repository Agent

60 Oracle Database Security Best Practices
Useful Whitepapers Oracle Database Security Best Practices Oracle Weblogic Server Security Best Practices Oracle Enterprise Manager Security Deployment Best Practices

61 Additional Oracle Enterprise Manager Sessions
Thursday, Sept. 23 Location 3:00 p.m - The X-Files: Managing the Oracle Exadata and Highly Available Oracle Databases Moscone S. Room 102 3:00 p.m. - Monitoring and Diagnosing Oracle RAC Performance with Oracle Enterprise Manager Moscone S. Room 310

62 Oracle.com/enterprisemanager11g
Oracle Enterprise Manager 11g Resource Center Access Videos, Webcasts, White Papers, and More Oracle.com/enterprisemanager11g Get the latest Oracle Enterprise Manager 11g resources including; videos, solution webcasts, white papers, and much more, visit oracle.com/enterprisemanager11g

63

64

65 <Insert Picture Here>
Appendix

66 Infrastructure Security Best Practices Oracle Management Repository
Secure the Oracle Listener to defend Denial-of-Service (DoS) attacks Enable Connection Rate Limiter feature Configure $TNS_ADMIN/admin/listener.ora Connection_rate_Listenername = n Rate_limit in ADDRESS section of listener endpoint configuration Listenername=(ADDRESS= (PROTOCOL=tcp) (HOST=Server1) (PORT=1521) (RATE_LIMIT=yes)) Please refer to the link for more information Oracle Management Service Repository Agent Grid Control Console The Oracle Network Listener is the first point of contact for any client connection to the database. The Listener brokers client requests, handing them off to appropriate database servers. In a typical server configuration, the Listener is the only entity listening for client connection requests, and thus is the first line of defense against Denial-of-Service attacks. This paper describes a new feature in the Listener – Connection Rate Limiter – which allows a DBA to specify limits on the number of new connections handled by the listener. This throttling allows a database server system to better handle sudden spikes in connection requests.

67 Infrastructure Security Best Practices Secure communication
Secure lock OMS Enforces the communication with OMS only over SSL/TLS By default OMS is secure locked( and after) If your instance is upgraded from previous version that is not secure locked, please issue the following command emctl secure lock And the following command can tell you if your OMS is secure locked or not emctl status oms –details HTTP Console Port : 7802 HTTPS Console Port : 5416 HTTP Upload Port : 7654 HTTPS Upload Port : 4473 Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Oracle Management Repository Grid Control Console Oracle Management Service Brand new 11.1 installation, out-of-box, OMS is secured lock, which…. If the instance is upgraded from a previous version, and the previous is configured with secure-lock, it will remain But if the previous instance is not configured, please, secure lock the oms. Management Agent Database Application Host

68 Infrastructure Security Best Practices Secure communication
Oracle Management Repository Grid Control Console Secure the agent emctl status agent –secure Agent is secure at HTTPS Port 1838 OMS is secure on HTTPS Port 4473 emctl secure agent Oracle Management Service Management Agent Database Application Host

69 Infrastructure Security Best Practices Secure communication
Oracle Management Repository Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO) ASO is a DB option that combines network encryption, database encryption and strong authentication together to help customers address privacy and compliance requirements Ensures that the data between OMS and Repository is secure from both confidentiality and integrity standpoints Grid Control Console Oracle Management Service Management Agent Database Application Host

70 Infrastructure Security Best Practices Secure communication
Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO) Steps: Set the following OMS configuration parameters with the appropriate values by issuing the following command: emctl set property –name <property_name> -value <value> oracle.sysman.emRep.dbConn.enableEncryption=true oracle.net.encryption_client=REQUESTED oracle.net.encryption_types_client={DES40C} oracle.net.crypto_checksum_client=REQUESTED oracle.net.crypto_checksum_types_client={MD5} Add the following to Repository’s $TNS_ADMIN/sqlnet.ora SQLNET.ENCRYPTION_SERVER = REQUESTED Oracle Management Repository Grid Control Console Oracle Management Service Management Agent Database Application Host

71 Infrastructure Security Best Practices Secure communication
Enable the strong cipher suites for the communication between Enterprise Manager components Agent Edit $AGENT_HOME/sysman/config/emd.properties to configure the strong cipher suites SSLCipherSuites= SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SHA OMS: Update the following parameter in $INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd_em.conf and ssl.conf files SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SHA Oracle Management Repository Grid Control Console Oracle Management Service By default, if not specified, the following cipher suites will be allowed for the communication SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA You can edit the parameter in SSLCipherSuites $AGENT_HOME/sysman/configure/emd.properties to configure the strong cipher suites to be used for agent SSL/TLS communication. The following are supported strong cipher suites. SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DH_anon_WITH_3DEC_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA To restrict the strong cipher suites used by OMS, please edit SSLCipherSuite parameter in $INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd_em.conf and ssl.conf files with the appropriate values. Here are the default values: Management Agent Database Application Host

72 Infrastructure Security Best Practices Secure communication
Use a certificate from well-known Certificate Authority (CA) for the communication Trusted certificates Different expiry and key size that meet special security rules Steps: Create a wallet for each OMS in the grid. Write certificates of all the Certificate Authorities in the certificate chain into file trusted_certs.txt. Download file trusted_certs.txt file to agents host machines Restart Agent after running the add_trust_cert command. emctl secure add_trust_cert -trust_certs_loc <location of trusted_certs.txt file> Secure OMS and restart it. emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> Oracle Management Repository Grid Control Console Oracle Management Service Management Agent Database Application Host

73 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Firewall between browsers and Grid Control Console Configure the firewall to allow Grid Control Console to receive HTTP traffic over 7778 Or 7777 if Web cache is used in OMS home If Grid Control Console is secured as mentioned earlier, configure firewall to allow Grid Control Console to receive HTTPS traffic over port 4443 Oracle Management Service(OMS) Firewall Web-based Grid Control Browser 7777 7778 4443

74 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Configure firewall between OMS and Repository to allow Oracle Net traffic flow As mentioned earlier, to secure the communication between OMS and Repository, we need to enable Oracle ASO for Repository ASO supports the following two types of firewalls Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall Some vendors’ firewalls can be configured to recognize Oracle*Net traffic with their Oracle Net Proxy Traffic Kits Otherwise, define an ACL that allows traffic flow between the subnet hosting the OMS and the subnet hosting the repository Management Repository Oracle Management Service(OMS) SQL*Net Firewall

75 Privilege Propagating Group
A special group that the privileges granted on will be propagated to its nested and direct members For a normal group, no matter what privileges (FULL, OPERATOR or VIEW) on the group is granted to you, you’ll only get VIEW privileges on the group members System privilege “Create Privilege Propagating Group” is required to create this type of group “Full privilege” on the target is required to add the target as a member of a group emcli verb to convert the normal group and privilege propagating group emcli modify_group –privilege_propagating =true/false Privilege Propagating System, Redundancy Group, Aggregate Services

76 Infrastructure Security Best Practices Configure Enterprise Manager for Firewalls
Configure OMS to use proxy server for its its connections to My Oracle Support to check CPUs Update the following OMS properties via emctl set property command: emctl set property –name <property> -value <value> PROXYHOST=proxyhostname.domain PROXYPORT =port If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hosts dontPROXYFor = hostname1,hostname2 Oracle Management Service(OMS) Firewall My Oracle Support

77 Manage Enterprise Manager Security Monitor its own Security
Security Policies Help you quickly identify systems that are not in compliance Out-of-box policies adopted from industry best practices Customize policies to meet specific security need in your organization Security at a glance Helps you to quickly focus on security issues by showing statistics about security policy violations and noting the critical security patches that have not been applied Compliance scores and Violation flux Notification of violations , Page, SNMP Traps, etc. Oracle Enterprise Manager Compliance Score Represents security health as a simple score Allows easy comparisons between secured items such as databases, hosts, etc. Shows trends in policy compliance Security Violations

78 Manage Enterprise Manager Security Fix its Own Security Violations
Oracle Enterprise Manager Corrective actions to remediate violations CPU Advisories Patching automation Connects to MOS to discover and pull in new patches Rapidly deploys security patches Corrective Actions Security Violations


Download ppt "Oracle Enterprise Manager Security Best Practices"

Similar presentations


Ads by Google