- oracle · ... olm t – r i h ftp t l tremove unsecure serv ices suc h as ftp , ... (tls) v1 •...
TRANSCRIPT
1
<Insert Picture Here>
Oracle Enterprise Manager Security Best PracticesHuaqing Wang Senior Product Manager OracleHuaqing Wang, Senior Product Manager, OracleRavi Pinnamaneni, Consulting Member of Technical Staff, Oracle
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver anycontract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development release and timing of anyThe development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Agenda
<Insert Picture Here>• Oracle Enterprise Manager Overviewg• Security Best Practices• Managing Enterprise Manager Security
i E t i Musing Enterprise Manager • Q & A• Appendix• Appendix
4
Agenda
<Insert Picture Here>• Oracle Enterprise Manager Overviewg• Security Best Practices• Managing Enterprise Manager Security
i E t i Musing Enterprise Manager • Q & A• Appendix• Appendix
5
Business-Driven IT Management
6© 2010 Oracle Corporation 6
Enterprise Manager Security CertificationCommon Criteria EAL 4+
• Enterprise Manager security feature development process rigorouslydevelopment process rigorously vetted and certified by independent government agency
• Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC-0621-2010 on A 27 2010Aug., 27, 2010
• Comprehensive evaluation process took 2+ years to completetook 2+ years to complete
• EAL4+ is highest mutually recognized level among governments worldwide
7
level among governments worldwide
Oracle Enterprise Manager Architecture Overview
Oracle ManagementRepository
Oracle Management ServiceService
Grid Control Console
Oracle Management Agent
• Oracle Management Agent (Management Agent)– An integral software component deployed on each monitored host– Responsible for monitoring and managing the hosts and all the targets running on
those hosts communicating the information (metrics configurations etc ) to
8
those hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS)
Oracle Enterprise Manager Architecture Overview
Oracle ManagementRepository
Oracle Management ServiceService
Grid Control Console
Oracle Management Agent
• Oracle Management Service (OMS)– J2EE Web application that orchestrates with Oracle Management Agents to
discover targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis
9
to Oracle Management Repository for future reference and analysis– Renders the user interface for the Grid Control Console
Oracle Enterprise Manager Architecture Overview
Oracle ManagementRepository
Oracle Management ServiceService
Grid Control Console
Oracle Management Agents
• Oracle Management Repository (Management Repository)– An Oracle database where all the information (metrics, configurations, etc.)
collected by the Oracle Management Agents gets stored
10
Oracle Enterprise Manager Architecture Overview
Oracle ManagementRepository
Oracle Management ServiceService
Grid Control Console
Oracle Management Agent
• Grid Control Console– A web user interface from where you can monitor and administer your entire
computing environment
11
Agenda
<Insert Picture Here>• Oracle Enterprise Manager Overviewg• Security Best Practices• Managing Enterprise Manager Security
i E t i Musing Enterprise Manager • Q & A• Appendix• Appendix
12
Enterprise Security Considerations and Threats
Security Consideration Security Threat
Data confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
N di ti R di tiNon-repudiation Repudiation
13
Enterprise Security Considerations and Threats
Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacksData confidentiality and integrity Man in the Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
S ti f d ti E l it ti f th i tiSegregation of duties Exploitation of authorization
Non-repudiation Repudiation
Interrupted/Stolen
• Data confidentiality and integrity
Management Agent OMS
ata co de t a ty a d teg ty– Not disclosed to any entities unless they are authorized to access– Not changed, destroyed, or lost in unauthorized or accidental manner
• Man-in-the-Middle attacks
14
– Interrupts, intercepts, modifies or fabricates data in transit
Enterprise Security Considerations and Threats
Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorizationg g p
Non-repudiation Repudiation
OMS
• Data Availability
Management Agent
HackerData Availability
– Available and usable upon demand by an authorized entity• Denial-of-Service attacks
– Makes Management Repository or OMS unavailable to intended users
15
g p yby flooding them with more requests than they can handle
–
Enterprise Security Considerations and Threats
Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
• Authentication– The process to verify the identity, usually username and password,
claimed by a user• Password crack attacks
– Obtains password from an authentication exchange, then uses the password to log on to Enterprise Manager Grid Control
• For examples: guess dictionary and brute force attacks
16
• For examples: guess, dictionary and brute force attacks
Enterprise Security Considerations and Threats
Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacksAuthentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
• Segregation of duties– No person should be given responsibility for more than one related
function• Exploitation of authorization
– Accesses resources (targets, jobs, templates and so on) that he/she should not be authorized to
17
Enterprise Security Considerations and Threats
Security Consideration Security ThreatData confidentiality and integrity Man-in-the-Middle attacks
Data availability Denial-of-Service attacks
Authentication Password crack attacksAuthentication Password crack attacks
Segregation of duties Exploitation of authorization
Non-repudiation Repudiation
• Non-repudiation– Network security: Neither sender nor recipient can later deny having
processed the information– Web Application security: No one can later deny the actions he/she
has taken in the application• Repudiation
Refuses authoring of something that happened
18
– Refuses authoring of something that happened
Oracle Enterprise Manager Security Overview
1 E i M I f1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’sAudit – The Three A s
3. Security of target authentications
19
Enterprise Manager Infrastructure Security
Oracle ManagementRepository
• Enterprise Manager Infrastructure SecurityOracle Management
p y
Security– Securing individual Enterprise Manager
components– Securing communication
Oracle Management Service
Grid Control Console
Management Agent
Database Application Host
20
Infrastructure Security Best PracticesSecuring Enterprise Manager Components
• Harden the machines on which OMS and Management Repository reside
R i h FTP t l tO l M t – Remove unsecure services such as FTP, telnet, rlogin and so on
– Close UDP and TCP ports for services that are disabled
Oracle ManagementRepository
• Apply all security patches– Always apply latest relevant CPUs for OS, Oracle
Database, Oracle Weblogic Server, OMS and Agents
Oracle Management Service
Grid Control Console Agents• Use privilege delegation tool such as
sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes
– Disable owner account , “oracle”, direct log in to hosts
– Allow normal users to perform administrative tasks without disclosing password of privileged
Oracle Management Agent
21
tasks without disclosing password of privileged user
Infrastructure Security Best PracticesOracle Management Repository
• Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist)
O l M t)
– Restrict operation system access• Limiting the number of OS users with access on
Oracle Database host• Restricting the ability for these users to modify the
Oracle ManagementRepository
Restricting the ability for these users to modify the default file/directory permissions of Oracle Home
– Restrict network access to the Repository• Check Network IP Address to allow the access to
Oracle Database only from authorized nodes
Oracle Management Service
Grid Control Console Oracle Database only from authorized nodes– Configure $TNS_ADMIN/protocol.ora file
• tcp.validnode_checking=yes
• tcp.included_nodes={list of IP addresses}addresses}
– If Repository is the only database on the host, we can limit the nodes to OMS nodes only
– Please refer to the link for more information http://www oracle com/technetwork/database/securi
Oracle Management Agent
22
http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
Infrastructure Security Best PracticesOracle Management Service
• Follow best practices for securing Oracle Weblogic Server (Securing the Production E i t f O l W bl i S )O l M t Environment for Oracle Weblogic Server)
– Protect WebLogic Server Home directory especially domain directory which contains configuration files, security files, log files and
Oracle ManagementRepository
g y gother Java EE resources for the Weblogic domain.
• Grant only one OS user who runs Weblogic Server the access privilege to the directory
Oracle Management Service
Grid Control Console
– Create no fewer than two user accounts with system administrator privileges
• To ensure one user maintains account access in case another user becomes locked out by a ydictionary/brute force attack
– Please refer to http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf for more information
Oracle Management Agent
23
p
Infrastructure Security Best PracticesOracle Management Agent
• Deploy agent via pushing agents O l M t from OMS
– Secure Shell (SSH) protocol is used in this approach, which ensures the confidentiality and integrity of agent i t ll ti
Oracle ManagementRepository
installation• Use complex one-time registration
passwords with reasonable expiry date
Oracle Management Service
Grid Control Console
– Registration password combined with random keys generated by OMS and agent is used to produce agent key to register and secure the agent
– Protect against the possibility of unauthorized agents accessing OMSOracle Management
Agent
24
Oracle Enterprise Manager Security Overview
Oracle ManagementRepository
• Enterprise Manager Infrastructure Oracle Management
p y
Security– Securing individual Enterprise Manager
components– Securing communication
Oracle Management Service
Grid Control Console
Securing communication Management
Agent
Database Application Host
25
Infrastructure Security Best PracticesSecuring Communication Overview
Oracle ManagementRepository
• Various communications within Enterprise Manager
– Between OMS and agent (Bidirectional)Oracle Management
p y
Grid Control ConsoleFirewall
g ( )– Between browsers and OMS– Between OMS and Management
RepositoryBetween OMS and targets
Oracle Management Service
Firewall
– Between OMS and targets• Communications in firewall environmentsManagement
AgentFirewall
Database Application Host
26
Infrastructure Security Best PracticesSecuring Communication Between OMS and Agents
• Securing communication between OMS ( )
Oracle ManagementRepository
and Agents (Bidirectional)– It is secure locked out-of-box (10.2.0.5 and
after), which means the communication is only over HTTPS
Oracle Management
p y
Grid Control Console
y– Security aspects of communication over
HTTPS• What secure protocol is used
Secure Socket Layer (SSL) v3
Oracle Management Service
– Secure Socket Layer (SSL) v3 – Transportation Layer Security (TLS) v1
• What strong cipher suites are used• Is certificate from well-known Certificate
Management Agent
Authority (CA)
Database Application Host
27
Infrastructure Security Best PracticesSecuring communication
• Enable TLS v1 only for communication O l M t ybetween OMS and Management Agents
– OMS: • emctl stop oms
• emctl secure oms protocol TLSv1
Oracle ManagementRepository
Grid Control Console • emctl secure oms -protocol TLSv1
• Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain Home/bin/startEMServer.sh.
Oracle Management Service
TLS v1• emctl start oms
– Agent: • Update
$Agent Home/sysman/config/emd.properties
TLS v1
$Agent_Home/sysman/config/emd.properties– allowTLSonly=trueOracle Management
Agent
28
Infrastructure Security Best PracticesSecuring Communication Overview
Oracle ManagementRepository
• Various communications within Enterprise Manager
– Between OMS and agent (Bidirectional)Oracle Management
p y
Grid Control ConsoleFirewall
g ( )– Between browsers and OMS– Between OMS and Management
RepositoryBetween OMS and targets
Oracle Management Service
Firewall
– Between OMS and targets• Communications in firewall environmentsManagement
AgentFirewall
Database Application Host
29
Infrastructure Security Best PracticesConfiguring Enterprise Manager for FirewallsCo gu g te p se a age o e a s
• Firewalls are commonplace in most mature and modern IT infrastructures
Oracle ManagementRepository mature and modern IT infrastructures
• Two areas where Enterprise Manager and firewalls will interact
Oracle Management
p y
Grid Control ConsoleFirewall
– Navigate between Enterprise Manager components separated by firewalls
– Communicate with managed targets that are behind firewalls
Oracle Management Service
Firewall
• Enterprise Manager is designed to cope with both cases but….
this is one of the least understood
Management Agent
Firewall
– …this is one of the least understood areas when deploying Enterprise Manager in a secure environment
Database Application Host
30
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Best Practices:Oracle Management
Repository Best Practices:– Get firewalls into first design of the solution
• Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment e gOracle Management
p y
Grid Control ConsoleFirewall
Targets in your environment, e.g., – HTTP/HTTPS for communication between
OMS and Agents– SQL*Net for the communication between
OMS and Oracle Database targets
Oracle Management Service
Firewall
g– ICPM and UDP for the communication
between beacons and managed targets• Consider placement of OMSs when laying down
your Enterprise Manager topology
Management Agent
Firewall
– Work closely with the network team on design of groups and Access Control List (ACL) for groups of targetsDatabase Application Host
31
Infrastructure Security Best PracticesConfiguring Enterprise Manager for FirewallsCo gu g te p se a age o e a s
• Lots of different permutations with E t i M h d li
Oracle ManagementRepository
Enterprise Manager when dealing with Firewalls….
– Configuring agents on a host protected by a firewallOracle Management
p y
Grid Control ConsoleFirewall
p y– Configuring OMS on a host protected
by a firewall– Firewalls between OMS and OMR
Fi ll b t b d
Oracle Management Service
Firewall
– Firewall between your browser and Grid Grid Control
– Firewalls between the Grid Control and a managed database target
Management Agent
Firewall
– Firewalls used with multiple OMS– ……
• Let’s take a tour through some of th
Database Application Host
32
these
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure Oracle Management Agent on a host protected by a firewall
O l M tp y
– Configure Oracle Management Agent to use proxy server for its upload to OMS
• Update the following parameters in file $AGENT HOME/sysman/config/emd.properties
Oracle ManagementRepository
Grid Control Console $AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domain
REPOSITORY_PROXYPORT =port
• If authentication is required, edit the following parameters as well
Oracle Management Service
REPOSITORY_PROXYREALM=realm
REPOSITORY_PROXYUSER=proxyuser
REPOSITORY_PROXYPWD=proxypassword
– Configure firewall to allow inbound i i f OMS A
Firewall
communication from OMS to Agent• Port 3872 (default)• Port range1830-1849 (non-default)
Oracle Management Agent
Oracle Management Agent
33
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure Oracle Management Service on a host protected by a firewall
C fi OMS t f itO l M t – Configure OMS to use proxy server for its communication to agents outside the firewall
• Update the following OMS properties via emctl set property command:
tl t t t l
Oracle ManagementRepository
Grid Control Console– emctl set property –name <property> -value
<value>PROXYHOST=proxyhostname.domain
PROXYPORT =port
• If there are some agents on the hosts that are
Oracle Management Service
Firewall If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor = hostname1,hostname2
– Configure firewall to allow inbound
Firewall
gcommunication from Agents to OMS
• Default HTTP/HTTPS Ports: 4889/1159• Non-default port range 4890-4897/4898-4908
Oracle Management Agent
34
Oracle Enterprise Manager Security Overview
1 E i M I f1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’sAudit – The Three A s
3. Security of target authentications
35
Authentication, Authorization and Auditing The Three A’s
• AuthenticationOracle Enterprise ManagerAuthentication – Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• AuthorizationAudit
Authentication
Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs templates reports etc
Authorization
jobs, templates, reports, etc.• Audit
– Keeps track of the actions happened within Enterprise Manager to prevent
Jobs, TemplatesReports, etc
ApplicationServers
repudiation
Databases Applications Hosts
36
Authentication, Authorization and Auditing The Three A’s
• AuthenticationOracle Enterprise ManagerAuthentication – Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• AuthorizationAudit
Authentication
Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs templates reports etc
Authorization
jobs, templates, reports, etc.• Audit
– Keeps track of the actions happened within Enterprise Manager to prevent
Jobs, TemplatesReports, etc
ApplicationServers
repudiation
Databases Applications Hosts
37
The Three A’s Best PracticesAuthentication
• Repository-based authentication OSSO
(Default)– Use password profile to enforce the
password control such as password complexity failed login attempt
LDAP Server
complexity, failed login attempt, password reuse max, password life time, etc.
• Leverage Grid Control user th ti ti t O l Si l SiO l M t
EUSDefault
authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS)
– Simplify the identity management
Oracle ManagementRepository(OMR)
Simplify the identity management across the enterprise
– Both SSO and EUS enable your users to authenticate to Grid Control by using their credentials stored in LDAP server
Oracle Enterprise Manager
38
their credentials stored in LDAP server
The Three A’s Best PracticesAuthentication
• Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository
UPDATE MGMT CREATED USERSUPDATE MGMT CREATED USERSSET SYSTEM_USER=’-1’WHERE user_name=’SYSMAN’
• If you want to enable SYSMAN logging into Grid Control Console later on:
UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’1’WHERE user_name=’SYSMAN’
• Change password for both SYSMAN and MGMT_VIEW on a regular basis
– Prevent password crack attackstl fi h d h i db– emctl config oms -change repos pwd -change in db
– emctl config oms –change_view_user_pwd
39
Authentication, Authorization and Auditing The Three A’s
• AuthenticationOracle Enterprise ManagerAuthentication – Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• AuthorizationAudit
Authentication
Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs templates reports etc
Authorization
jobs, templates, reports, etc.• Audit
– Keeps track of the actions happened within Enterprise Manager to prevent
Jobs, TemplatesReports, etc
ApplicationServers
repudiation
Databases Applications Hosts
40
The Three A’s Best Practices Authorization Overview
• Two-step authorization process enables fine-grained access and segregation of d tiesgrained access and segregation of duties:
– Enterprise Manager authorization• Controls the access to the resources and
functionalities within Enterprise Manager
Oracle Enterprise Manager
Oracle Enterprise– Manage target metrics thresholds– Set alert notification rules– Enable/disable Enterprise Manager packs
– Target authorization
Enterprise Manager Authorization
Oracle Enterprise Manager
C t t t tg
• Controls the access to the resources and functionalities within the target
– CREATE new TABLE– Back-up database Jobs, Templates ApplicationTarget Target
Connect to target
p– Tune SQL
• Enforced by target security model• Depends on the credential used to connect to the
target
, pReports, etc
Databases Applications Hosts
ppServers
Target TargetTarget
Target Authorization
41
target
The Three A’s Best Practices Authorization Overview
• Example:SQLTuning DBA
– Create new user, SQLTuningDBA, who is only responsible for tuning 2 of 100 managed database targets
• Enterprise Manager authorizationOracle Enterprise
Manager
– Create EM user SQLTuningDBA– Grant VIEW Target Privilege on the 2 DB targets of
interest• Target authorization
Connect as database user A
Connect as database user B
– Target credentials used should have the following database privileges
• select_any_catalog• administer sql tuning setDatabase 1 Database 2
• execute on dbms_workload_repository
Databases
42
The Three A’s Best Practices Enterprise Manager Authorization Overview
What type of administrator
should the
• Normal Enterprise Manager Administrator
H NO tshould the new user be?
– Has NO access to anything unless granted privileges
• Super Administratorp– Has FULL privileges on
all targets and the ability to create Super AdministratorsAdministrators
43
The Three A’s Best Practices Enterprise Manager Authorization Overview
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
What type of administrator
should the
• Enterprise Manager offers 10 System P i il (4 i 11
ability to create Super Administrators
should the new user be?
Wh t S t
Privileges (4 new in 11g Release 1),e.g.,
– Should the user be able to VIEW any targets
What System Privilege(s) should the user have?
y g– Should the user be able
to ADD new targets?
44
The Three A’s Best Practices Enterprise Manager Authorization Overview
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
What type of administrator should the
ability to create Super Administrators
should the new user be?
Wh t S t
• Should the user only be able to monitor the databases of his own
What System Privilege(s) should the user have?
department? What target should the user be able to access?
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,
– Should the user be able to VIEW any targetsShould the user be able to ADD new
45
– Should the user be able to ADD new targets?
The Three A’s Best Practices Enterprise Manager Authorization Overview
• Enterprise Manager
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
What type of administrator
should the
Enterprise Manager provides 7 Target Privileges, e.g.,
– Should the user be able
ability to create Super Administrators
What Target Privilege(s)
h ld thshould the new user be?
Wh t S t
to blackout target 1, 2 and 3?
– Should the user be able to change metric
should the user have
What System Privilege(s) should the user have?
threshold setting for target 4, 5 and 6?
• Whether the user is able to tune performance of
What targets should the
user be able to access? to tune performance of
target 1 depends on the credential he uses to connect to target 1
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,
– Should the user be able to VIEW any targetsShould the user be able to ADD new
• Should the user only be able to monitor the databases of his own department?
46
– Should the user be able to ADD new targets?
The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges,
• If groups of targets are
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
p g p g ge.g.,
– Should the user be able to blackout target 1, 2 and 3?
– Should the user be able to change metric threshold setting for target 4, 5 and 6?
• Whether the user is able to tune performance of target 1 depends on the credential he uses to
What type of administrator
should the
always monitored and managed in the same way, do we have to grant the privileges on these
ability to create Super Administrators
What Target Privilege(s)
h ld th
target 1 depends on the credential he uses to connect to target 1
should the new user be?
Wh t S t
the privileges on these individual targets to the user?
• Privilege Propagating
should the user have
What System Privilege(s) should the user have?
Group – Privileges granted on the group automatically granted on its members
What targets should the
user be able to access? its members
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,
– Should the user be able to VIEW any targetsShould the user be able to ADD new
• Should the user only be able to monitor the databases of his own department?
Privilege Propagating Group
47
– Should the user be able to ADD new targets?
The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges,
• Normal Enterprise Manager Administrator– Has NO access to anything unless granted
privileges• Super Administrator
– Has FULL privileges on all targets and the ability to create Super Administrators
p g p g ge.g.,
– Should the user be able to blackout target 1, 2 and 3?
– Should the user be able to change metric threshold setting for target 4, 5 and 6?
• Whether the user is able to tune performance of target 1 depends on the credential he uses to
Role
• If there are a set of users
What type of administrator
should the
ability to create Super Administrators
What Target Privilege(s)
h ld th
target 1 depends on the credential he uses to connect to target 1
• If there are a set of users sharing the same responsibilities, do we have to grant all the
should the new user be?
Wh t S t
should the user have
individual privileges one by one to these users?
• Role -- Set of privilegesWhat System
Privilege(s) should the user have?
• If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user?
• Privilege Propagating Group – Privileges granted on the group automatically granted on its members
What targets should the
user be able to access?
members
• Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g.,
– Should the user be able to VIEW any targetsShould the user be able to ADD new
• Should the user only be able to monitor the databases of his own department?
Privilege Propagating Group
48
– Should the user be able to ADD new targets?
The Three A’s Best Practices Enterprise Manager Authorization
• Reduce the number of Super Administrators– Super Administrators have FULL privilege on allSuper Administrators have FULL privilege on all
targets and could create additional Super Administrators
• Grant only the minimum set of privilegesFollow the principle of least privilege to grant only
Oracle Enterprise Manager
– Follow the principle of least privilege to grant only the minimum set of privileges to the users to fulfill his responsibility
• Achieve segregation of duties and simplify authorization management
Authorization
authorization management– Grant roles instead of individual privileges to users– Use roles along with Privilege Propagating groups
• Monitor privilege/role operations through Jobs, Templates ApplicationEnterprise Manager Auditing
, pReports, etc
Databases Applications Hosts
ppServers
49
Authentication, Authorization and Auditing The Three A’s
• AuthenticationOracle Enterprise ManagerAuthentication – Determines whether someone is in fact
who it is declared to be while accessing Enterprise Manager Grid Control
• AuthorizationAudit
Authentication
Authorization– Provides access control to secure
resources and functionalities within Enterprise Manager such as targets, jobs templates reports etc
Authorization
jobs, templates, reports, etc.• Audit
– Keeps track of the actions happened within Enterprise Manager to prevent
Jobs, TemplatesReports, etc
ApplicationServers
repudiation
Databases Applications Hosts
50
The Three A’s Best PracticesAudit
• Extended actions audited by Enterprise Manager – 61 actions (33 new actions in 11g Release 1)
For example User login/logoff and privilegeOracle Enterprise ManagerA th ti ti – For example, User login/logoff, and privilege
granting/revoking, changes on monitoring template, changes on user defined policies, and database target start/stop/restart
B ilt i t li ti i t ditAudit
Authentication
• Built-in externalization service to purge audit data from Repository and export to external file system automatically
emcli update audit setting -
Authorization
emcli update audit settingfile_prefix=<file_prefix> -directory_name=<directory_name> -file_size = <file size> -data retention period=<period in
Jobs, TemplatesReports, etc
ApplicationServers data ete t o pe od pe od
days>
• GUI interface to view and search audit data– Setup ->Management Service and Repository
A dit D t
Databases Applications Hosts
51
-> Audit Data
TheThree A’s Best PracticesAudit
• Enable Audit for EM OperationsOracle Enterprise ManagerA th ti ti
emcli enable_audit
• If you only care about a subset of actions, you can just enable the auditing for them
li d t dit ttiAudit
Authentication
emcli update_audit_settings –audit_switch=”ENABLE” –operations_to_enable=”LOGIN;LOGOUT”
• Configure the externalization service to th dit d t f th R it
Authorization
purge the audit data from the Repository to an external file system on a regular basis.
emcli update audit settingJobs, TemplatesReports, etc
ApplicationServers p _ _ g
-directory="EM_DIR"-file_prefix="emgc_audit"-file_size="1000000"-data retention period="60“
Databases Applications Hosts
52
-data_retention_period= 60
Oracle Enterprise Manager Security Overview
1 E i M I f1. Enterprise Manager Infrastructure Security
2. Authentication, Authorization and Audit – The Three A’sAudit – The Three A s
3. Security of target authentications
53
Security of Target AuthenticationCredential System
Enterprise ManagerGrid ControlEnterprise Manager
• Credentials– Credentials are typically username and
password required to access targets such
C ede t a Syste
Oracle Management
Usersp q gas databases, hosts, etc.
– Stored encrypted in Repository or Agent• Usages of credentials:
RepositoryOracle Management
Service
Credentials are storedencrypted
– Collect metrics in the background as well as in real-time
– Perform jobs like Backup, Patching, Cloning, etc.
Agent Agent Agent
TargetAuthentication
– Real-time target administration like start, stop,etc.
– Connect to My Oracle Support for patchesP f d d ti l b i
DatabaseSolaris Linux
ApplicationsWindows
Application Server
• Preferred credentials – per user basis– Default credential – per target type– Target credential – per target– Target credential overrides default
54
Targets– Target credential overrides default
credential
Target Authentication Best PracticesCredential System
• Do not set preferred credentials for group/common accounts, e.g., SYSMAN. The following SQL statement gives you the result of preferred credential setting:
Enterprise ManagerGrid Control result of preferred credential setting:
SELECT
t.target_name,tc.user_name,tc.credential_set_name
Oracle ManagementFROM MGMT TARGET CREDENTIALS tc, MGMT_TARGETS tWHERE tc.target_guid=t.target_guid
• Keep track of the operations on credential by
gRepository
Oracle Management
Preferred CredentialsUDM Collection CredentialsJob Credentials p p y
enabling auditing the corresponding actions• Use emcli verbs to synchronize credentials
between Enterprise Manager and its d b
Management Agent
Oracle Management Service
Job Credentials
Monitoring Credentials
database targetsemcli update_db_password
user_name=“DBUserName”
change at target yes
Database
Database User
55
change at target=yes
Target Authentication Best PracticesHost Target Authentication
• Configure Pluggable Authentication Module(PAM) to take advantage of richConfigure Pluggable Authentication Module(PAM) to take advantage of rich authentication approaches to Host access
– Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity storage and management
– WebIV 422073 1: How to configure Agent with PAM to support LDAPWebIV 422073.1: How to configure Agent with PAM to support LDAP authentication
• Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager
Enable users to perform administrative tasks without providing credentials for
56
– Enable users to perform administrative tasks without providing credentials for functional accounts
Threats vs. Best Practices
Security Threats Best PracticesMan-in-the-Middle Attacks Securing the communication
Enable TLS v1 protocolEnable TLS v1 protocolConfigure firewalls……
Denial-of-Service Attacks Secure individual Enterprise ManagerDenial of Service Attacks Secure individual Enterprise Manager components……
Exploitation of Authorization Principle of least privilegesp p p gAuditing the authorization actions……
Password crack Attacks Change password on a regular basisEnable password profile to enforce password control……
Rep diation Enable a diting for Grid Control actions
57
Repudiation Enable auditing for Grid Control actions
Agenda
<Insert Picture Here>• Oracle Enterprise Manager Overviewg• Security Best Practices• Managing Enterprise Manager Security
i E t i Musing Enterprise Manager • Q & A• Appendix• Appendix
58
Oracle Enterprise ManagerManage its Own Securitya age ts O Secu ty
• Monitor its own security complianceOracle Enterprise Manager
– Security policies• Define the desired behaviors of systems in
terms of security– Security at a glance
Monitor EM security compliance
Fix EM security violations Security at a glance
• Provides an overview of the security health of the enterprise for all targets or specific groups
– Notification of violations
Oracle Enterprise Manager
compliance violations
Oracle Management Notification of violations• Email, Page, SNMP Traps, etc.
• Fix its own security violations– Corrective actions
Oracle Management Service
Repository
– CPU Advisory– Patching automation
• Connects to MOS to discover and pull in new patches
Oracle Management Agent
59
• Rapidly deploys security patches
Useful Whitepapers
• Oracle Database Security Best Practices– http://www oracle com/technetwork/database/security/twp-http://www.oracle.com/technetwork/database/security/twp
security-checklist-database-1-132870.pdf
• Oracle Weblogic Server Security Best Practiceshtt //d l d l /d / d/E12839 01/ b 1111/– http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf
• Oracle Enterprise Manager Security Deployment Best Practices– http://www.oracle.com/technetwork/oem/grid-control/twp-
security-best-practices-133704.pdfy p p
60
Additional Oracle Enterprise Manager Sessions
Thursday, Sept. 23 Location
• 3:00 p m The X Files: Managing the Oracle Exadata and • Moscone S Room• 3:00 p.m - The X-Files: Managing the Oracle Exadata and Highly Available Oracle Databases
• Moscone S. Room 102
• 3:00 p.m. - Monitoring and Diagnosing Oracle RAC Performance with Oracle Enterprise Manager
• Moscone S. Room 310Performance with Oracle Enterprise Manager 310
Oracle Enterprise Manager 11gResource Center
Access Videos, Webcasts, White Papers, and More
Oracle com/enterprisemanager11gOracle.com/enterprisemanager11g
63
64
<Insert Picture Here>
Appendix
65
Infrastructure Security Best PracticesOracle Management Repository
• Secure the Oracle Listener to defend Denial-of-Service (DoS) attacksO l M t of Service (DoS) attacks
– Enable Connection Rate Limiter feature• Configure
$TNS_ADMIN/admin/listener.ora
Oracle ManagementRepository
– Connection_rate_Listenername = n
– Rate_limit in ADDRESS section of listener endpoint configuration
• Listenername=(ADDRESS=
Oracle Management Service
Grid Control Console(PROTOCOL=tcp)
(HOST=Server1)
(PORT=1521)
(RATE_LIMIT=yes))
– Please refer to the link for more information http://www.oracle.com/technetwork/database/enterprise-edition/oraclenetservices-connectionratelim-133050.pdf
Oracle Management Agent
66
p
Infrastructure Security Best PracticesSecure communication
• Secure lock OMS – Enforces the communication with OMS only
over SSL/TLSOracle Management
Repository over SSL/TLS– By default OMS is secure locked(10.2.0.5 and
after)– If your instance is upgraded from previous
version that is not secure locked please issueOracle Management
p y
Grid Control Console
version that is not secure locked, please issue the following command
• emctl secure lock
And the following command can tell you if your OMS is secure locked or not
Oracle Management Service
OMS is secure locked or not• emctl status oms –details
HTTP Console Port : 7802
HTTPS Console Port : 5416
HTTP Upload Port : 7654
Management Agent
HTTP Upload Port : 7654
HTTPS Upload Port : 4473
Agent Upload is locked.
OMS Console is locked.
Active CA ID: 1
Database Application Host
67
Active CA ID: 1
Infrastructure Security Best PracticesSecure communication
Oracle ManagementRepository
• Secure the agent– emctl status agent –secure
Oracle Management
p y
Grid Control Console
…Agent is secure at HTTPS Port 1838
OMS is secure on HTTPS Port 4473
– emctl secure agent
Oracle Management Service
g
Management Agent
Database Application Host
68
Infrastructure Security Best PracticesSecure communication
• Securing communication between OMSOracle Management
Repository Securing communication between OMS and Repository by enabling network security feature of Advanced Security Option (ASO)
Oracle Management
p y
Grid Control Console
– ASO is a DB option that combines network encryption, database encryption and strong authentication together to help customers address privacy and compliance
Oracle Management Service
requirements– Ensures that the data between OMS and
Repository is secure from both confidentiality and integrity standpoints
Management Agent
Database Application Host
69
Infrastructure Security Best PracticesSecure communication
• Securing communication between OMS and Repository by enabling network security Oracle Management
Repositoryfeature of Advanced Security Option (ASO)– Steps:
• Set the following OMS configuration parameters with the appropriate values by issuing the following Oracle Management
p y
Grid Control Console
pp p y g gcommand:
– emctl set property –name <property_name> -value <value>oracle.sysman.emRep.dbConn.enableEncryp
i
Oracle Management Service
tion=true
oracle.net.encryption_client=REQUESTED
oracle.net.encryption_types_client={DES40C}
oracle.net.crypto_checksum_client=REQUE
Management Agent
STED
oracle.net.crypto_checksum_types_client={MD5}
• Add the following to Repository’s $TNS ADMIN/sqlnet ora
Database Application Host
70
$TNS_ADMIN/sqlnet.ora– SQLNET.ENCRYPTION_SERVER = REQUESTED
Infrastructure Security Best PracticesSecure communication
• Enable the strong cipher suites for the communication between Enterprise Manager components
Oracle ManagementRepository g p
– Agent• Edit
$AGENT_HOME/sysman/config/emd.properties to configure the strong cipher suitesOracle Management
p y
Grid Control Console
g g pSSLCipherSuites= SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SHA
Oracle Management Service
– OMS: • Update the following parameter in
$INSTANCE_HOME/WebTierIH1/config/OHS/ohs1/httpd em.conf and ssl.conf files
Management Agent
p _SSLCipherSuiteSSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SHA
Database Application Host
71
Infrastructure Security Best PracticesSecure communication
• Use a certificate from well-known Certificate Authority (CA) for the communication
Oracle ManagementRepository
– Trusted certificates – Different expiry and key size that meet
special security rulesSteps:Oracle Management
p y
Grid Control Console
– Steps:• Create a wallet for each OMS in the grid.• Write certificates of all the Certificate
Authorities in the certificate chain into file trusted certs txt
Oracle Management Service
trusted_certs.txt.• Download file trusted_certs.txt file to agents
host machines • Restart Agent after running the add_trust_cert
command.
Management Agent
co a demctl secure add_trust_cert -trust_certs_loc <location of trusted_certs.txt file>
• Secure OMS and restart it.emctl secure oms -wallet <location of wallet> -
Database Application Host
72
emctl secure oms wallet location of wallet trust_certs_loc <loc of trusted_certs.txt>
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Firewall between browsers and Grid Control Console
– Configure the firewall to allow Grid Control Console to receive HTTP trafficOracle ManagementWeb-basedFirewall Control Console to receive HTTP traffic over 7778
• Or 7777 if Web cache is used in OMS home
– If Grid Control Console is secured as
BrowserService(OMS)
Web-basedGrid Control
77777778
4443
Firewall
If Grid Control Console is secured as mentioned earlier, configure firewall to allow Grid Control Console to receive HTTPS traffic over port 4443
73
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure firewall between OMS and Repository to allow Oracle Net traffic flow
– As mentioned earlier, to secure the communication between OMS and Repository, we need to enable Oracle ASO for Repository
Oracle ManagementService(OMS)
ManagementRepository
– ASO supports the following two types of firewalls
• Application proxy-based firewalls, such as Network Associates Gauntlet, or AxentRaptor
Firewall
SQL*Net
Raptor• Stateful packet inspection firewalls, such as
Check Point Firewall-1, or Cisco PIX Firewall
– Some vendors’ firewalls can be configured toSome vendors firewalls can be configured to recognize Oracle*Net traffic with their Oracle Net Proxy Traffic Kits
• Otherwise, define an ACL that allows traffic flow between the subnet hosting the OMS
74
and the subnet hosting the repository
Privilege Propagating Group
• Privilege Propagating Group– A special group that the privileges granted on will be propagated to itsA special group that the privileges granted on will be propagated to its
nested and direct members• For a normal group, no matter what privileges (FULL,
OPERATOR or VIEW) on the group is granted to you, you’ll only get VIEW privileges on the group membersget VIEW privileges on the group members
– System privilege “Create Privilege Propagating Group” is required to create this type of group
– “Full privilege” on the target is required to add the target as a member of a group
– emcli verb to convert the normal group and privilege propagating group • emcli modify group –privilege propagating =true/falseemcli modify_group privilege_propagating true/false
• Privilege Propagating System, Redundancy Group, Aggregate Services
75
Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls
• Configure OMS to use proxy server for its its connections to My Oracle Support to check CPUs
Oracle ManagementCPUs
• Update the following OMS properties via emctl set property command:
– emctl set property –name <property> -
Service(OMS)
value <value>PROXYHOST=proxyhostname.domain
PROXYPORT =port
• If there are some agents on the hosts that
Firewall
• If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hostsdontPROXYFor =
My Oracle Support
hostname1,hostname2
76
Manage Enterprise Manager SecurityMonitor its own Securityo to ts o Secu ty
• Security Policies– Help you quickly identify systems that
are not in compliance – Out-of-box policies adopted from industry
best practicesbest practices– Customize policies to meet specific
security need in your organization• Security at a glanceOracle Enterprise Manager
– Helps you to quickly focus on security issues by showing statistics about security policy violations and noting the critical security patches that have not Security Violations y pbeen applied• Compliance scores and Violation flux
• Notification of violations
y
77
– E-mail, Page, SNMP Traps, etc.
Manage Enterprise Manager SecurityFix its Own Security Violations
• Corrective actions to remediate• Corrective actions to remediate violations
• CPU Advisories• Patching automationPatching automation
– Connects to MOS to discover and pull in new patches
– Rapidly deploys security patchesOracle Enterprise Manager
Security Violations
Corrective Actions
78