get proactive: strategies for - oracle · informational security maturity basic reactive faster...

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Get Proactive: Strategies for Hardening Security with Oracle Enterprise Manager CON6987

Angeline Janet Dhanarani Principal Product Manager Oracle Enterprise Manager September 19, 2016 Deepen Chakraborty

Enterprise Architect

Technology Manufacturing Group

Intel Corporation

Note: The speaker notes for this slide include information on how to use this Title Slide.

Tip! Remember to remove this text box.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Complete Cloud Control

Optimized, Efficient | |

Integrated Cloud & On-premise Stack Management

Agile, Automated

Complete Cloud & On-premise Lifecycle Management

Scalable, Secure

Superior Enterprise-Grade Management


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4


Program Agenda

Informational Security Maturity

Proactive Defense-in-Depth Strategy

Perimeter Hardening

Server Hardening

Application Hardening

Data Hardening

Administrative Hardening

1

2

3

4

5

5

6

7

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 6

Informational Security Maturity

BASIC REACTIVE

FASTER REACTION

INTEGRATED COMMON MANAGEMENT

PROACTIVE IDENTIFICATION, REMEDIATION

AGILITY

RIS

K M

AN

AG

EMEN

T

DEFENSIVE EVENT – DRIVEN TACTICAL

OFFENSIVE CONTEXTUAL STRATEGIC

Crucial Information Security Components:

GOLDEN RULE : PREVENTION IS BETTER THAN CURE

Defense-in-Depth Security Model: •Layered Security Solution Provides multiple layers of defense to protecting a networking environment •Security by hardening and monitoring


DATA

Proactive Defense-in-Depth Strategy

7

For hardening Enterprise Manager components (Inside Out)

APPLICATION

HOST

NETWORK

PHYSICAL

POLICIES, PROCEDURES

Data hardening: Strong passwords, File ACLs,Endpoint security and secure communication paths(TLS),Database Access Setting

Application hardening: User Login, account management, Access Control

Server hardening: OS hardening, authentication, security update management, Inbound TCP/IP port control

Perimeter hardening: Firewalls, routers, Demilitarized zones,VPNs

Physical hardening: Guards,Locks, Tracking devices

Administrative hardening: Security policies, procedures, governance, auditing


Perimeter hardening Network Fortification : Firewalls, Routers, Demilitarized zones, VPNs Frequently asked queries

8


Secured Communication across Firewalls

9

Network flows and port directions

What network flows and port directions do I need to configure on the firewall to enable secure communication between Enterprise Manager Components?


Default Ports that need to be configured:

•Cloud control console HTTPS Port( 7799)

•Admin Server Console HTTPS Port( 7101)

•Management Repository Database SQL * Net Port (1521)

•Management Agent Port ( 3872)

•Enterprise Manager Upload HTTPS Port (1159)

•Enterprise Manager Upload HTTP Port(4889)

•Host Status ICMP (0) Echo reply , ICMP (8) Echo Request

•Target Database SQL *Net Port (1521)

•Secure Admin SSH 22

Optional Ports:

•BIP Reports Console HTTPS Port( 9801)

•JVM Diagnostics HTTPS Port(3801)

•My Oracle Support Access HTTPS Port(443)

•Always-on monitoring Secure Upload port (8081)


Console

Database Application Server

Targets

7799

3872

1159,4889

ICMP (0) Echo reply , ICMP (8) Echo Request

Oracle Management Service(OMS)

Oracle Management Repository

7101

1521

1521 22

HOST

Refer to Appendix for alternatives to ICMP


Proxy Servers

11

Enabling multiple proxy servers: OMS<-> Agent communication

Can I configure proxy servers for centralized Oracle Management Server to talk to agents in different DMZ zones.

My targets are in different DMZ zones isolated by corporate firewall and network

topology.


Proxy server support for OMS <-> Agent communication

12

EM Corporate Network

Repository Oracle Management Service(OMS)

Load Balancer

Agents

Agents

Demilitarized Zone1

Demilitarized Zone2

Proxy Server

Configure different proxy servers for agents in different DMZ networks

•OMS to Agent => Setup-> proxy Settings -> Agents •Agents are associated to proxy servers by name or pattern during proxy server creation •Agent to OMS =>Setup-> Agents ->Advanced properties ->proxyHost,proxyPort

Proxy Server

Firewall/ Gateway


Server Hardening OS hardening, User authentication, Security update management, Inbound TCP/IP port control Frequently asked queries

13


Enterprise Manager Target Authentication

14

Centralize User Account management

How can I setup my named credentials to authenticate against Active Directory account ?

I have LDAP or Kerberos user authentication on the hosts.


Pluggable Authentication Modules(PAM)

• Enables to centralize user account management

– Improves user-level security

– Flexibility in managing user authentication

– Allows configuration for a defined global password policy

• Flexible configuration using four dynamically loaded module types

– Auth module: Identifying user

– Account module: Restricting account access

– Password module: Changing password

– Session module: Manages user sessions

15

PAM Library

pam_ldap.so

libpam_krb5 pam_unix.so

#%PAM-1.0 auth required pam_ldap.so account required libpam_krb5 password required pam_ldap.so session required pam_unix.so

Configuration file: /etc/pam.d/emagent

EM Agent

LDAP KERBEROS UNIX



16

Restricted Privilege Delegation

How can I make sure that privileged access is used only for patching /provisioning activity?

I have restricted OS access by locking root and Oracle account and use privilege delegation to

impersonate access for patching/provisioning tasks.


Privilege Delegation For Restricted Functionality

• Restricted Root Access for PATCHING and PROVISIONING activity only

17

OS Authenticated User Locked Account User

ELEVATED EM Agent

JOB COMMANDS EXECUTES

RESTRICTED SUDOERS john ALL = (oracle)

~/emagent/sbin/nmosudo PATCH_DISPATCHER

john ALL = (oracle) /u01/app/oracle/emagent/12.1.0.5/sbin/nmosudo PATCH_DISPATCHER

john ALL = (root) /u01/app/oracle/emagent/12.1.0.5/sbin/nmosudo PATCH_DISPATCHER

Cmnd_Alias PATCH_DISPATCHER = \ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION perl *, \ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION <dispatcher_loc>/patching_root_dispatcher.sh *,\ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION <dispatcher_loc>/root_dispatcher.sh *,\ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION id

SAMPLE RESTRICTED SUDOERS ENTRY FOR PATCHING



18

Passwordless Target Authentication

I want to configure stronger passwordless communication to targets. Is it feasible?


Configure Passwordless Target Authentication

• Host Targets

– SSH Key Credentials

– Key Exchange algorithm (JSch .53 version ) configurable at EM Agent • sshKexAlgorithms property in emd.properties

• Database Targets

– PKI Credentials

– Kerberos Credentials

19

SSH Key Named Cred


Private Key

EM Agent

Private Key

> Java SSH

Client

Host target


Application Hardening User Login, account management, Access Control Frequently asked queries

20


Enterprise Manager Authentication

Centralize Authentication

How can I configure centralized authentication with Enterprise Manager?

I want to configure my corporate Active Directory users to log into Enterprise

Manager….


Working with Centralized Authentication providers

• Step1: Configure underlying WebLogic Server to work with the authentication provider

• OMS delegates user authentication to WebLogic Server ( in OMS Stack) for external authentication

• IF LDAP Server is Microsoft Active Directory / Oracle Internet Directory / Oracle Access Manager

– Native Support with One-step configuration emctl config auth

• IF any other external authentication providers

– Manually configure with the out-of-box WebLogic Security Provider OR

– Create and configure Custom Security providers through WebLogic service provider interface (APIs)


Delegates Authentication Providers

Repos AD OIM OAM


Working with Centralized Authentication providers

• Step2: Configure External Roles

• Auto-assigns Enterprise Manager roles to users based on LDAP group membership

– Define Enterprise Manager Role and mark it “External”

– <Enterprise Manager external role name>= <LDAP_group_name>

• Step3: Enable auto provisioning

• Automate the provisioning of Enterprise Manager user-accounts upon first login

– Set OMS property oracle.sysman.core.security.auth.autoprovisioning = true

• Simply administration with External Roles and auto provisioning

• Auto-creates Enterprise Manager user accounts

• Provides Enterprise Manager users with defined privileges on first login

• Centralized authentication login controls : Password profile management

Better User and Role administration


Enterprise Manager Authorization

Differentiate access to database target

How do I give application developers read-only access to view the performance management report for a production database target ?

I have various teams that perform specific database

management tasks based on their job profile.


Flexible Database Access Control privileges

• Different personas of database users with different authorization levels

• Application Developer, Application DBA, Database Administrator, Performance Administrator

• Flexible database access control privileges

• Very granular database target privileges available for target types – Database Instance, Cluster Database and Pluggable Database

• Unless explicitly granted, no access for menu items, database regions.

• Underlying database privileges are required.

• Separate View and Manage privileges for all areas in DB management (~150)

• Out-of-box Aggregated Privileges /Roles also available

– Database Application DBA, Database Application Developer(Roles)

– Manage Database Performance Privilege Group, View Database Schema Privilege Group(Privileges)

Principle of Least privilege for database target management


Flexible Database Access Control privileges

Application Developers are prevented access to the grayed out menu items. Example, “SQL Performance Analyzer Setup” and “SQL Access Advisor”

Database Targets

Application DBA Role Database Application

DBA privilege On DB1,DB2,DB3,DB4

Application Developer

Role Database Application

Developer privilege On DB1,DB2,DB3, DB4

Application DBAs

Application Developers

DB1

DB3 DB4

DB2 Application DBAs have access to “SQL Performance Analyzer Setup” and “SQL Access Advisor”


Enterprise Manager Access Management

Privileged DB credential access and management

How do I protect my sensitive privileged DB credentials ?


Use Private Roles for sharing Named Credentials

– Some sensitive privileges cannot be added to a System Role • Any Super administrator has access and can grant to any user

• Any Super administrator could grant a role without knowledge of the owner

– To grant these sensitive privileges to many users, use Private Roles

– Private Roles: • Only Role owners or role grantees can grant role to other users

• Only Role owner has access to modify /delete the private role

– Share restricted Named Credentials between administrators by assigning it to Private Role , then granting that role to your users.

Full Deployment Procedure View Credential Edit Credential Full Credential Full Job

Privileged Administrator (Private Role Owner)

GRANT

DB Credential in a Private Role

Application DBAs

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

• Detection: Use Compliance Violation

– Create Configuration extension for database instance target type to monitor DB account password expiry • Refer SQL Query from Appendix

– Create Agent-side Compliance Standard Rule and Compliance Standard

– Associate the database instance targets to the compliance standard

• Alternate Option

– EMCLI Script with verb get_db_account passing in “-expire_in_hours” parameter

• Remediation

–EMCLI verb update_db_password changes at DB target and all Enterprise Manager credential references

–Supports changing password for ALL users, including SYS/SYSDBA users

–Sample: emcli update_db_password –target_name=mydb –user_name=dbsnmp –target_type=oracle_database –change_all-references=yes –change_at_target=yes

29

Automate password management for privileged Named credentials


Data hardening Strong passwords, File ACLs,Endpoint security and secure communication paths(TLS),Database Access Setting Frequently asked queries

30


Enterprise Manager Secure Data Communication

TLS1.2 Compliance

Are Enterprise Manager components TLS1.2 compliant ?

I want to secure my sensitive data over the

network infrastructure !!!


TLS1.2 Compliance in Monitoring and Infrastructure

Console

Agent


Oracle Management Repository (OMR)

Always-On Monitoring Service(AOM)

Always-On Monitoring Repository

Refer to Appendix for configuration

Database Target

• EM13c:

• All infrastructure channels TLS1.2 enabled by default

• FMW Target monitoring TLS1.2 enabled by default

• EM13.2 : TLS1.2 with configuration

• OMS DB Target

• 13c Agent DB Target

• OMS OMR

• AOM OMR

• AOM AOM Repository



Certificates for encryption

I configured communications using Oracle- provided certificates. Is this secure?

I have my Enterprise Manager services available over the public

network. How can any client accessing these services be

ensured of data integrity and authenticity ?


•For truly secured environment:

•Get your own custom third party CA certificate

•RSA Keys with a minimum of 2048 bit key strength

•Do not use X.509 certificates signed with MD5 algorithm. Request for SHA2(SHA-256 or SHA-512).

•Do not use the Self-signed certificates of Enterprise Manager

•Do not use the default WebLogic Server demonstration certificates

•Configure custom third party CA certificates for:

1) Console to OMS 5) OMS to OMR

2) Agent to OMS 6) AOM to OMR

3) Weblogic Server 7) AOM to AOM Rep

4) OMS and Agent to target database 8) Agent to AOM

Custom Third party CA Certificates

Console

Database

Targets

Oracle Management Service(OMS) Oracle

Management Repository(OMR)

Always-On Monitoring Service(AOM)

Always-On Monitoring Repository(AOM Rep)

Agent

1

2

3

4

4

5

6

7

8


• Configuring OMS

– Request for certificate with load balancer name as Common Name if OMSes are front-ended by load balancer.

– Secure the HTTPS Console access

– Secure the HTTPS Upload access

– Secure the agents

• Configuring WebLogic Server components

– SSL certificates to be generated with the physical host name of the OMS machine.

– In case of a multi-OMS setup, separate keystores need to be created for each OMS using the host name of that OMS server.

– Import CA certificates into the trust store of the Agent which is monitoring the OMS

– Configure OMS and WLS using “emctl secure wls -wallet ”

• Configuring Agents

– Copy the cwallet.sso file to <AGENT_INST>/sysman/config/server directory.

– If the OMS SSL certificate has been signed by different CA than Agent, import the root certificates of Agent’s new SSL certificate to the OMS trust store using “emctl secure oms –wallet -trust_certs_loc”

Configuring Custom Third party CA certificates

1

2

3

2

Refer Security Guide for samples and details


• Configuring OMS /AOM to Repository

– Secure OMS Access

• Import the database server CA certificate into the OMS JDK TrustStore.

– Secure AOM Access

• Two options

– Import the database server CA certificate into the Oracle Management Service JDK TrustStore.

– Store the certificates in an external TrustSTore

• AOM setup with EMSCA

– Long format of DB connection string

• Configuring OMS /Agent to target database

– For communication between Oracle Management Service and database

• EMCTL properties to be set at the OMS server

– For communication between Agent and database

• EMCTL properties to be set at the Agent

36

• Configuring Agent to AOM

– Request for certificate with load balancer name as Common Name if AOMs are front-ended by load balancer.

– Configure AOM with “emsctl secure [-wallet]

– If the custom certificates are not signed by the same CAs the agents trust, add these CA in agent trust store.

• Add custom certificate CA to OMS using emctl secure oms -trust_certs_loc <trustCerts.txt>

• Re-secure agents

Configuring Third party CA certificates

5

6

4

7

8

Refer Security Guide for samples and details



Upgrading Certificates with minimal outage

How can I upgrade OMS certificate chain without causing a business wide outage?

I want to migrate /upgrade my current PKI

hierarchy because my certificates have expired

or become obsolete…


Upgrading Third party CA certificate chain(With minimized downtime)

• Update OMS side trust store with both new and old CA chain.

– emctl secure oms -trust_certs_loc <file containing new and old CAs>

• After running this command, check Trust Certificate Details table in SecurityConsole (Setup -> Security -> Security Console -> Secure Communication) and verify that new CAs are there.

• Resecure the agents. This will update the trust store on the agent to have both old and new CA chain. Agent can connect to both old OMS certificate and new certificates.

– emcli secure_agents OR OS Command job “emctl secure agent [-emdWalletSrcUrl <slb url>] ” in every agent After all agents are re-secured go to step 3

• Change the OMS certificate and Update Trust store to only have new CA.

– emctl secure oms -wallet <new wallet> -trust_certs_loc <file containing new CAs> -console [slb options]

– emctl stop oms -all; emctl start oms [ Perform bounce on OMS in a rolling fashion]

• (Optional:Clean up truststore with Old CA) Resecure agents in bulk to have trust store with only new CA.

– emcli secure_agents OR OS Command job “emctl secure agent [-emdWalletSrcUrl <slb url>]” in every agent

38

Changes in root /intermediate certificate chain: No effect on user-certificates

Only -trust_certs_loc option is used


Can Enterprise Manager components be configured to use only specific stronger cipher suites ?


Cipher Suites Hardening

I want to tighten security controls on allowed cipher

suites


Cipher Suite Hardening

• Hardening measures in Enterprise Manager 13.2 – All RC4 Ciphers are disabled by default

– MD5withRSA algorithm are disabled for TLS1.2 handshake

– X.509 certificates containing MD5-based digital signature algorithm are by default disabled

• Users given option to use the deprecated MD5-based certificates until SHA2 certificates are procured.

– Perfect Forward Secrecy with Ephemeral key exchanges (ECDHE/DHE) for OMS <-> Agent communication

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

– Other cipher suites supported for OMS <-> agent communication

• SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256

40


Administrative Hardening Security policies, procedures, governance, auditing Frequently asked queries

41


Enabling Audit

Client Hostname Audit Tracing

How can I track access to the user ?

My OMSes are front-ended by Server Load Balancer. Audit data

and Active User sessions in console shows the SLB hostname

/IP address instead of Client hostname /IP address.


Client hostname audit tracing with load balancer

• Enable Audit :

– To audit access to high priority assets, such as databases and application servers that host business critical information.

– To audit access to shared and privileged accounts

• If OMS is front-ended by server load balancer : – Enable the Insert X-Forwarded-For option in the HTTP profile in Load Balancer

– OR Configure an iRule to insert the original client IP address in an X-Forwarded-For HTTP header

– Terminate SSL connection at Load Balancer

– Set OMS property “oracle.sysman.core.security.audit.client_ip_header_name” to “X-Forwarded-For”

43


Enterprise Manager : Proactive Security Hardening Summary

Proactive security hardening measures of Enterprise Manager leveraged within Defense-In-Depth security model

Scalable risk management solution encompassing robust controls.

Strong management practices reducing surface of vulnerabilities and risk.


Appendix



• Define alternate command to be used instead of ICMP Ping

• Set the command in the property

– 'oracle.sysman.core.omsAgentComm.ping.pingCommand‘

46

Alternate to using ICMP ping


Configuration extension to monitor DB account password expiry

• SQL Query :

SELECT USERNAME||' going to expire in next 24 hours' FROM SYS.DBA_USERS WHERE ACCOUNT_STATUS not like '%EXPIRED%' AND ROUND((EXPIRY_DATE-SYSDATE)*24,0) <= 24


Configuring TLS1.2 for OMS -> OMR

• Accommodate in planned downtime

• Follow Database security guide for enabling TCPS in the OMR Repository

• SSL client authentication must me turned off in listener.ora and sqlnet.ora

• SSL_VERSION= 1.2 in sqlnet.ora ( For locking to TLS1.2)

• Disable native client encryption (If turned ON)

• Blackout the repository targets( database, Management Services and Repository,Management Service,Metadata Repository) to suppress the alerts.

• Refer Official Security Guide for complete process

48

Best practices for configuring One-way SSL server authentication

OMS Client

Server OMR Repository

Server’s Identity


Configuring TLS1.2 for AOM -> OMR / AOM Repository

• Accommodate in planned downtime

• Follow Database security guide for enabling TCPS in the AOM Repository

• SSL client authentication must me turned off in listener.ora and sqlnet.ora


• Two Approaches

– Import database server CA certificate in JDK trust store

– External trust-store holding the database server CA certificate

• EMSCA configuration: Repository Connection String for AOM and EM should be in long format

49

Best practices for configuring One-way SSL server authentication


Configuring TLS1.2 for Database Target monitoring

• Follow Database security guide for enabling TCPS in the OMR Repository

• SSL client authentication must me turned ON


• Configure secure wallets with third-party CA certificates

– For communication between Oracle Management Service and database

– For communication between Agent and database

• Performance OMS bounce in a rolling fashion to minimize the downtime

• Bounce the agent after importing the wallets

• Refer Official Security Guide for complete process

50

Best practices for configuring Two-way SSL server authentication

OMS Client Database Target

Server’s Identity

Client’s Identity


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

51

53

Centralized and Secure Monitoring of Databases:

An Oracle Enterprise Manager 12c Implementation

Deepen Chakraborty

Enterprise Architect

Technology Manufacturing Group

Intel Corporation

Sep 19, 2016

54

Agenda

Intel's’ DB Monitoring profile and challenges

Centralized Enterprise Manager 12c Cloud Control Architecture

Challenges : E2E monitoring over WAN

Firewall Port Requirements and Implementation

Details of firewall ports configuration

Role Based Administrator Security Setup

Lessons Learned

55

Intel’s Database Profile & Challenges

Intel’s Factory Automation Databases used for making critical Manufacturing decisions (Operational, Planning, Engineering Analysis, Process control)

Automation Databases include both Mission Critical OLTP and Mission Important DSS type systems (Ranging from few hundred Gigs up to 30 TB) spread across US and Asia

Local Implementation of EM10gR2 Stack

Maintenance of monitoring template and notification rules, copy exactly compliance

Patching 14 different installations

Database Profile

Challenges

56

Centralized Enterprise Manager 12c Cloud Control

57

Enterprise Manager 12c Architecture Box Diagram

Targ

ets

in a

Data

cente

r

58

Centralized Enterprise Manager 12c Capabilities

Able to monitor and use all the features of Oracle 11gR2 and 12c databases using EM12c cloud control e.g. real time query performance, real time ADDM, reporting and metrics capabilities etc.

High Availability (Database and Oracle Management Server) – near real time monitoring alerts

Fully Automated Target Setup using dynamic group feature after OMA install

Robust Security (super user, admin user, read-only user)

Target control from target nodes instead of cloud control nodes using EMCLI

No central dependency of the target databases high availability(FSFO capability for targets) and backup recovery

59

Challenges : E2E Monitoring Over WAN

Backup and Recovery

• Even though monitoring of the targets was not a problem over WAN but RMAN catalog based backups were slow from the centralized OMS/OMR

Data Guard Observer

• A reliable and fast connection is prerequisites for Data guard observer in ‘Fast Start Failover’ setup to avoid false failover

Solution

• Local setup of high available nodes providing local recovery catalog database for fast backup and local observer to avoid false failover

60

Firewall Port Implementation

Oracle

Management

Server

Firewall Firewall

77XX

OMS Host

Oracle Management Repository

Target

15XX

48

XX

38XX

11xx

48xx

Target Database

1521

15

xx

Recovery

Cata

log

Firewall

Optimal Network Routing Setup

61

Detail Firewall Port Configuration OMS is Two Node Active Passive Microsoft Cluster Target database is Primary and Physical Standby database

OMS Server Host

Active Node 1 IP Address

Passive Node 1 IP Address

OMS Cluster VIP IP Address

Database Target Host

Database Node 1 IP Address TCP :Grid Listener Port(15xx) TCP:Dataguard Private Port(15xx) TCP:Database Listener Port(15xx) TCP:38xx TCP:18xx

Database Node 2 IP Address

Database Node n IP Address

Database Target Hosts



Database Node n IP Address

OMS Server Host

OMS VIP Address TCP:11xx/48xx

Recovery Catalog Database Host

Primary Recovery Node 1 IP Address

TCP:Database listener port (15xx)

Physical Recovery Node 2 IP Address

TCP: Database listener port (15xx)

Need to follow the steps for all the target servers

62

Role Based Administrator Security Setup Multiple level Administrator created for efficient use of job roles and security

Administrator name

Responsibility

SYSMAN Super Administrator

<SITE>_ADMIN The site admin only can view the targets associated with his/her site

<Group>_ADMIN The group admin is responsible for the group of databases, it can also administer the site admin

<Appl>_ADMIN Application admin responsible for to run application level setup as well as running AWR/ASH along with performance related reports

<Appl>_View_User Application user can view only mode for particular application or group of applications. Credentials are created for access control host, database and for backup

operations Database Host Credentials for each host SYSDBA Database credentials for each database Recovery catalog user credentials as normal database credentials

63

Lessons Learned and Benefits Coordination with Network team

Pre-work with the network team on strategy for enabling port to port communication

Ensure easy troubleshooting of connectivity between the targets and OMS using psping tool , wire shark software for firewall port monitoring

Regular monitoring of Em12c OMR and OMS performance is key to success

EM12c OMA communication with OMS is very stable due to layered communication implementation, it sustains little glitch in the environment

Benefits of Central Monitoring:

Central Dashboard view of all the targets – one stop shop and setup [ example: centralized capacity planning, trending report, custom reporting capability of backups for each target databases, centralized steams latency tracking in geographically different “capture and apply targets”, central inventory of target host names, system metrics and configuration ].

Guaranteed copy exactly monitoring of all targets

One place to make changes makes the system easy to maintain

Thanks to TMG Engg Team for the contributions. Thank You for attending the session.

67

Application Database Blue Print Data Center 1

Public network

Private network

Storage Network

Primary

DB Instance

Data Center 2

Standby

DB Instance

Grid Infra

Grid Infra

OBSERVER2 OBSERVER1

Broker Enabled Data Guard/SYNC

Mirrored LUN of REDO/Control/Arch logs for Double Failure Coverage

ASM Data & FRA

ASM

Data & FRA

Storage Network

68

Observer and Recovery Catalog Database– In Each Site

Data Center 1

Public network

Private network

Storage Network

Primary

DB Instance

Data Center 2

Standby

DB Instance

Grid Infra

Grid Infra

OBSERVER OBSERVER1

Broker Enabled Data Guard/SYNC

ASM Data & FRA

ASM

Data & FRA

Storage Network

Data Guard (Broker Enabled) Fast -Start Failover Zero Data Loss Configuration (SYNC/Max Availability Mode/Real Time Apply). For Different version of databases we will have multiple observers which will run from different ORACLE_HOME

get proactive: strategies for - oracle · informational security maturity basic reactive faster...

Documents