get proactive: strategies for - oracle · informational security maturity basic reactive faster...
TRANSCRIPT
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Get Proactive: Strategies for Hardening Security with Oracle Enterprise Manager CON6987
Angeline Janet Dhanarani Principal Product Manager Oracle Enterprise Manager September 19, 2016 Deepen Chakraborty
Enterprise Architect
Technology Manufacturing Group
Intel Corporation
Note: The speaker notes for this slide include information on how to use this Title Slide.
Tip! Remember to remove this text box.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Complete Cloud Control
Optimized, Efficient | |
Integrated Cloud & On-premise Stack Management
Agile, Automated
Complete Cloud & On-premise Lifecycle Management
Scalable, Secure
Superior Enterprise-Grade Management
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Informational Security Maturity
Proactive Defense-in-Depth Strategy
Perimeter Hardening
Server Hardening
Application Hardening
Data Hardening
Administrative Hardening
1
2
3
4
5
5
6
7
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 6
Informational Security Maturity
BASIC REACTIVE
FASTER REACTION
INTEGRATED COMMON MANAGEMENT
PROACTIVE IDENTIFICATION, REMEDIATION
AGILITY
RIS
K M
AN
AG
EMEN
T
DEFENSIVE EVENT – DRIVEN TACTICAL
OFFENSIVE CONTEXTUAL STRATEGIC
Crucial Information Security Components:
GOLDEN RULE : PREVENTION IS BETTER THAN CURE
Defense-in-Depth Security Model: •Layered Security Solution Provides multiple layers of defense to protecting a networking environment •Security by hardening and monitoring
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
DATA
Proactive Defense-in-Depth Strategy
7
For hardening Enterprise Manager components (Inside Out)
APPLICATION
HOST
NETWORK
PHYSICAL
POLICIES, PROCEDURES
Data hardening: Strong passwords, File ACLs,Endpoint security and secure communication paths(TLS),Database Access Setting
Application hardening: User Login, account management, Access Control
Server hardening: OS hardening, authentication, security update management, Inbound TCP/IP port control
Perimeter hardening: Firewalls, routers, Demilitarized zones,VPNs
Physical hardening: Guards,Locks, Tracking devices
Administrative hardening: Security policies, procedures, governance, auditing
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Perimeter hardening Network Fortification : Firewalls, Routers, Demilitarized zones, VPNs Frequently asked queries
8
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Secured Communication across Firewalls
9
Network flows and port directions
What network flows and port directions do I need to configure on the firewall to enable secure communication between Enterprise Manager Components?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Default Ports that need to be configured:
•Cloud control console HTTPS Port( 7799)
•Admin Server Console HTTPS Port( 7101)
•Management Repository Database SQL * Net Port (1521)
•Management Agent Port ( 3872)
•Enterprise Manager Upload HTTPS Port (1159)
•Enterprise Manager Upload HTTP Port(4889)
•Host Status ICMP (0) Echo reply , ICMP (8) Echo Request
•Target Database SQL *Net Port (1521)
•Secure Admin SSH 22
Optional Ports:
•BIP Reports Console HTTPS Port( 9801)
•JVM Diagnostics HTTPS Port(3801)
•My Oracle Support Access HTTPS Port(443)
•Always-on monitoring Secure Upload port (8081)
Secured Communication across Firewalls
Console
Database Application Server
Targets
7799
3872
1159,4889
ICMP (0) Echo reply , ICMP (8) Echo Request
Oracle Management Service(OMS)
Oracle Management Repository
7101
1521
1521 22
HOST
Refer to Appendix for alternatives to ICMP
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Proxy Servers
11
Enabling multiple proxy servers: OMS<-> Agent communication
Can I configure proxy servers for centralized Oracle Management Server to talk to agents in different DMZ zones.
My targets are in different DMZ zones isolated by corporate firewall and network
topology.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Proxy server support for OMS <-> Agent communication
12
EM Corporate Network
Repository Oracle Management Service(OMS)
Load Balancer
Agents
Agents
Demilitarized Zone1
Demilitarized Zone2
Proxy Server
Configure different proxy servers for agents in different DMZ networks
•OMS to Agent => Setup-> proxy Settings -> Agents •Agents are associated to proxy servers by name or pattern during proxy server creation •Agent to OMS =>Setup-> Agents ->Advanced properties ->proxyHost,proxyPort
Proxy Server
Firewall/ Gateway
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Server Hardening OS hardening, User authentication, Security update management, Inbound TCP/IP port control Frequently asked queries
13
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Target Authentication
14
Centralize User Account management
How can I setup my named credentials to authenticate against Active Directory account ?
I have LDAP or Kerberos user authentication on the hosts.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Pluggable Authentication Modules(PAM)
• Enables to centralize user account management
– Improves user-level security
– Flexibility in managing user authentication
– Allows configuration for a defined global password policy
• Flexible configuration using four dynamically loaded module types
– Auth module: Identifying user
– Account module: Restricting account access
– Password module: Changing password
– Session module: Manages user sessions
15
PAM Library
pam_ldap.so
libpam_krb5 pam_unix.so
#%PAM-1.0 auth required pam_ldap.so account required libpam_krb5 password required pam_ldap.so session required pam_unix.so
Configuration file: /etc/pam.d/emagent
EM Agent
LDAP KERBEROS UNIX
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Target Authentication
16
Restricted Privilege Delegation
How can I make sure that privileged access is used only for patching /provisioning activity?
I have restricted OS access by locking root and Oracle account and use privilege delegation to
impersonate access for patching/provisioning tasks.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Privilege Delegation For Restricted Functionality
• Restricted Root Access for PATCHING and PROVISIONING activity only
17
OS Authenticated User Locked Account User
ELEVATED EM Agent
JOB COMMANDS EXECUTES
RESTRICTED SUDOERS john ALL = (oracle)
~/emagent/sbin/nmosudo PATCH_DISPATCHER
john ALL = (oracle) /u01/app/oracle/emagent/12.1.0.5/sbin/nmosudo PATCH_DISPATCHER
john ALL = (root) /u01/app/oracle/emagent/12.1.0.5/sbin/nmosudo PATCH_DISPATCHER
Cmnd_Alias PATCH_DISPATCHER = \ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION perl *, \ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION <dispatcher_loc>/patching_root_dispatcher.sh *,\ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION <dispatcher_loc>/root_dispatcher.sh *,\ <agent_home>/sbin/nmosudo DEFAULT_PLUGIN DEFAULT_FUNCTIONALITY DEFAULT_SUBACTION DEFAULT_ACTION id
SAMPLE RESTRICTED SUDOERS ENTRY FOR PATCHING
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Target Authentication
18
Passwordless Target Authentication
I want to configure stronger passwordless communication to targets. Is it feasible?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Configure Passwordless Target Authentication
• Host Targets
– SSH Key Credentials
– Key Exchange algorithm (JSch .53 version ) configurable at EM Agent • sshKexAlgorithms property in emd.properties
• Database Targets
– PKI Credentials
– Kerberos Credentials
19
SSH Key Named Cred
Oracle Management Service(OMS)
Private Key
EM Agent
Private Key
> Java SSH
Client
Host target
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Application Hardening User Login, account management, Access Control Frequently asked queries
20
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Authentication
Centralize Authentication
How can I configure centralized authentication with Enterprise Manager?
I want to configure my corporate Active Directory users to log into Enterprise
Manager….
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Working with Centralized Authentication providers
• Step1: Configure underlying WebLogic Server to work with the authentication provider
• OMS delegates user authentication to WebLogic Server ( in OMS Stack) for external authentication
• IF LDAP Server is Microsoft Active Directory / Oracle Internet Directory / Oracle Access Manager
– Native Support with One-step configuration emctl config auth
• IF any other external authentication providers
– Manually configure with the out-of-box WebLogic Security Provider OR
– Create and configure Custom Security providers through WebLogic service provider interface (APIs)
Oracle Management Service(OMS)
Delegates Authentication Providers
Repos AD OIM OAM
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Working with Centralized Authentication providers
• Step2: Configure External Roles
• Auto-assigns Enterprise Manager roles to users based on LDAP group membership
– Define Enterprise Manager Role and mark it “External”
– <Enterprise Manager external role name>= <LDAP_group_name>
• Step3: Enable auto provisioning
• Automate the provisioning of Enterprise Manager user-accounts upon first login
– Set OMS property oracle.sysman.core.security.auth.autoprovisioning = true
• Simply administration with External Roles and auto provisioning
• Auto-creates Enterprise Manager user accounts
• Provides Enterprise Manager users with defined privileges on first login
• Centralized authentication login controls : Password profile management
Better User and Role administration
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Authorization
Differentiate access to database target
How do I give application developers read-only access to view the performance management report for a production database target ?
I have various teams that perform specific database
management tasks based on their job profile.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Flexible Database Access Control privileges
• Different personas of database users with different authorization levels
• Application Developer, Application DBA, Database Administrator, Performance Administrator
• Flexible database access control privileges
• Very granular database target privileges available for target types – Database Instance, Cluster Database and Pluggable Database
• Unless explicitly granted, no access for menu items, database regions.
• Underlying database privileges are required.
• Separate View and Manage privileges for all areas in DB management (~150)
• Out-of-box Aggregated Privileges /Roles also available
– Database Application DBA, Database Application Developer(Roles)
– Manage Database Performance Privilege Group, View Database Schema Privilege Group(Privileges)
Principle of Least privilege for database target management
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Flexible Database Access Control privileges
Application Developers are prevented access to the grayed out menu items. Example, “SQL Performance Analyzer Setup” and “SQL Access Advisor”
Database Targets
Application DBA Role Database Application
DBA privilege On DB1,DB2,DB3,DB4
Application Developer
Role Database Application
Developer privilege On DB1,DB2,DB3, DB4
Application DBAs
Application Developers
DB1
DB3 DB4
DB2 Application DBAs have access to “SQL Performance Analyzer Setup” and “SQL Access Advisor”
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Access Management
Privileged DB credential access and management
How do I protect my sensitive privileged DB credentials ?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Use Private Roles for sharing Named Credentials
– Some sensitive privileges cannot be added to a System Role • Any Super administrator has access and can grant to any user
• Any Super administrator could grant a role without knowledge of the owner
– To grant these sensitive privileges to many users, use Private Roles
– Private Roles: • Only Role owners or role grantees can grant role to other users
• Only Role owner has access to modify /delete the private role
– Share restricted Named Credentials between administrators by assigning it to Private Role , then granting that role to your users.
Full Deployment Procedure View Credential Edit Credential Full Credential Full Job
Privileged Administrator (Private Role Owner)
GRANT
DB Credential in a Private Role
Application DBAs
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
• Detection: Use Compliance Violation
– Create Configuration extension for database instance target type to monitor DB account password expiry • Refer SQL Query from Appendix
– Create Agent-side Compliance Standard Rule and Compliance Standard
– Associate the database instance targets to the compliance standard
• Alternate Option
– EMCLI Script with verb get_db_account passing in “-expire_in_hours” parameter
• Remediation
–EMCLI verb update_db_password changes at DB target and all Enterprise Manager credential references
–Supports changing password for ALL users, including SYS/SYSDBA users
–Sample: emcli update_db_password –target_name=mydb –user_name=dbsnmp –target_type=oracle_database –change_all-references=yes –change_at_target=yes
29
Automate password management for privileged Named credentials
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Data hardening Strong passwords, File ACLs,Endpoint security and secure communication paths(TLS),Database Access Setting Frequently asked queries
30
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Secure Data Communication
TLS1.2 Compliance
Are Enterprise Manager components TLS1.2 compliant ?
I want to secure my sensitive data over the
network infrastructure !!!
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
TLS1.2 Compliance in Monitoring and Infrastructure
Console
Agent
Oracle Management Service(OMS)
Oracle Management Repository (OMR)
Always-On Monitoring Service(AOM)
Always-On Monitoring Repository
Refer to Appendix for configuration
Database Target
• EM13c:
• All infrastructure channels TLS1.2 enabled by default
• FMW Target monitoring TLS1.2 enabled by default
• EM13.2 : TLS1.2 with configuration
• OMS DB Target
• 13c Agent DB Target
• OMS OMR
• AOM OMR
• AOM AOM Repository
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Secure Data Communication
Certificates for encryption
I configured communications using Oracle- provided certificates. Is this secure?
I have my Enterprise Manager services available over the public
network. How can any client accessing these services be
ensured of data integrity and authenticity ?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
•For truly secured environment:
•Get your own custom third party CA certificate
•RSA Keys with a minimum of 2048 bit key strength
•Do not use X.509 certificates signed with MD5 algorithm. Request for SHA2(SHA-256 or SHA-512).
•Do not use the Self-signed certificates of Enterprise Manager
•Do not use the default WebLogic Server demonstration certificates
•Configure custom third party CA certificates for:
1) Console to OMS 5) OMS to OMR
2) Agent to OMS 6) AOM to OMR
3) Weblogic Server 7) AOM to AOM Rep
4) OMS and Agent to target database 8) Agent to AOM
Custom Third party CA Certificates
Console
Database
Targets
Oracle Management Service(OMS) Oracle
Management Repository(OMR)
Always-On Monitoring Service(AOM)
Always-On Monitoring Repository(AOM Rep)
Agent
1
2
3
4
4
5
6
7
8
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
• Configuring OMS
– Request for certificate with load balancer name as Common Name if OMSes are front-ended by load balancer.
– Secure the HTTPS Console access
– Secure the HTTPS Upload access
– Secure the agents
• Configuring WebLogic Server components
– SSL certificates to be generated with the physical host name of the OMS machine.
– In case of a multi-OMS setup, separate keystores need to be created for each OMS using the host name of that OMS server.
– Import CA certificates into the trust store of the Agent which is monitoring the OMS
– Configure OMS and WLS using “emctl secure wls -wallet ”
• Configuring Agents
– Copy the cwallet.sso file to <AGENT_INST>/sysman/config/server directory.
– If the OMS SSL certificate has been signed by different CA than Agent, import the root certificates of Agent’s new SSL certificate to the OMS trust store using “emctl secure oms –wallet -trust_certs_loc”
Configuring Custom Third party CA certificates
1
2
3
2
Refer Security Guide for samples and details
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
• Configuring OMS /AOM to Repository
– Secure OMS Access
• Import the database server CA certificate into the OMS JDK TrustStore.
– Secure AOM Access
• Two options
– Import the database server CA certificate into the Oracle Management Service JDK TrustStore.
– Store the certificates in an external TrustSTore
• AOM setup with EMSCA
– Long format of DB connection string
• Configuring OMS /Agent to target database
– For communication between Oracle Management Service and database
• EMCTL properties to be set at the OMS server
– For communication between Agent and database
• EMCTL properties to be set at the Agent
36
• Configuring Agent to AOM
– Request for certificate with load balancer name as Common Name if AOMs are front-ended by load balancer.
– Configure AOM with “emsctl secure [-wallet]
– If the custom certificates are not signed by the same CAs the agents trust, add these CA in agent trust store.
• Add custom certificate CA to OMS using emctl secure oms -trust_certs_loc <trustCerts.txt>
• Re-secure agents
Configuring Third party CA certificates
5
6
4
7
8
Refer Security Guide for samples and details
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager Secure Data Communication
Upgrading Certificates with minimal outage
How can I upgrade OMS certificate chain without causing a business wide outage?
I want to migrate /upgrade my current PKI
hierarchy because my certificates have expired
or become obsolete…
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Upgrading Third party CA certificate chain(With minimized downtime)
• Update OMS side trust store with both new and old CA chain.
– emctl secure oms -trust_certs_loc <file containing new and old CAs>
• After running this command, check Trust Certificate Details table in SecurityConsole (Setup -> Security -> Security Console -> Secure Communication) and verify that new CAs are there.
• Resecure the agents. This will update the trust store on the agent to have both old and new CA chain. Agent can connect to both old OMS certificate and new certificates.
– emcli secure_agents OR OS Command job “emctl secure agent [-emdWalletSrcUrl <slb url>] ” in every agent After all agents are re-secured go to step 3
• Change the OMS certificate and Update Trust store to only have new CA.
– emctl secure oms -wallet <new wallet> -trust_certs_loc <file containing new CAs> -console [slb options]
– emctl stop oms -all; emctl start oms [ Perform bounce on OMS in a rolling fashion]
• (Optional:Clean up truststore with Old CA) Resecure agents in bulk to have trust store with only new CA.
– emcli secure_agents OR OS Command job “emctl secure agent [-emdWalletSrcUrl <slb url>]” in every agent
38
Changes in root /intermediate certificate chain: No effect on user-certificates
Only -trust_certs_loc option is used
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Can Enterprise Manager components be configured to use only specific stronger cipher suites ?
Enterprise Manager Secure Data Communication
Cipher Suites Hardening
I want to tighten security controls on allowed cipher
suites
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Cipher Suite Hardening
• Hardening measures in Enterprise Manager 13.2 – All RC4 Ciphers are disabled by default
– MD5withRSA algorithm are disabled for TLS1.2 handshake
– X.509 certificates containing MD5-based digital signature algorithm are by default disabled
• Users given option to use the deprecated MD5-based certificates until SHA2 certificates are procured.
– Perfect Forward Secrecy with Ephemeral key exchanges (ECDHE/DHE) for OMS <-> Agent communication
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
– Other cipher suites supported for OMS <-> agent communication
• SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
40
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Administrative Hardening Security policies, procedures, governance, auditing Frequently asked queries
41
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enabling Audit
Client Hostname Audit Tracing
How can I track access to the user ?
My OMSes are front-ended by Server Load Balancer. Audit data
and Active User sessions in console shows the SLB hostname
/IP address instead of Client hostname /IP address.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Client hostname audit tracing with load balancer
• Enable Audit :
– To audit access to high priority assets, such as databases and application servers that host business critical information.
– To audit access to shared and privileged accounts
• If OMS is front-ended by server load balancer : – Enable the Insert X-Forwarded-For option in the HTTP profile in Load Balancer
– OR Configure an iRule to insert the original client IP address in an X-Forwarded-For HTTP header
– Terminate SSL connection at Load Balancer
– Set OMS property “oracle.sysman.core.security.audit.client_ip_header_name” to “X-Forwarded-For”
43
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Enterprise Manager : Proactive Security Hardening Summary
Proactive security hardening measures of Enterprise Manager leveraged within Defense-In-Depth security model
Scalable risk management solution encompassing robust controls.
Strong management practices reducing surface of vulnerabilities and risk.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Appendix
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Secured Communication across Firewalls
• Define alternate command to be used instead of ICMP Ping
• Set the command in the property
– 'oracle.sysman.core.omsAgentComm.ping.pingCommand‘
46
Alternate to using ICMP ping
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Configuration extension to monitor DB account password expiry
• SQL Query :
SELECT USERNAME||' going to expire in next 24 hours' FROM SYS.DBA_USERS WHERE ACCOUNT_STATUS not like '%EXPIRED%' AND ROUND((EXPIRY_DATE-SYSDATE)*24,0) <= 24
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Configuring TLS1.2 for OMS -> OMR
• Accommodate in planned downtime
• Follow Database security guide for enabling TCPS in the OMR Repository
• SSL client authentication must me turned off in listener.ora and sqlnet.ora
• SSL_VERSION= 1.2 in sqlnet.ora ( For locking to TLS1.2)
• Disable native client encryption (If turned ON)
• Blackout the repository targets( database, Management Services and Repository,Management Service,Metadata Repository) to suppress the alerts.
• Refer Official Security Guide for complete process
48
Best practices for configuring One-way SSL server authentication
OMS Client
Server OMR Repository
Server’s Identity
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Configuring TLS1.2 for AOM -> OMR / AOM Repository
• Accommodate in planned downtime
• Follow Database security guide for enabling TCPS in the AOM Repository
• SSL client authentication must me turned off in listener.ora and sqlnet.ora
• SSL_VERSION= 1.2 in sqlnet.ora ( For locking to TLS1.2)
• Two Approaches
– Import database server CA certificate in JDK trust store
– External trust-store holding the database server CA certificate
• EMSCA configuration: Repository Connection String for AOM and EM should be in long format
49
Best practices for configuring One-way SSL server authentication
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Configuring TLS1.2 for Database Target monitoring
• Follow Database security guide for enabling TCPS in the OMR Repository
• SSL client authentication must me turned ON
• SSL_VERSION= 1.2 in sqlnet.ora ( For locking to TLS1.2)
• Configure secure wallets with third-party CA certificates
– For communication between Oracle Management Service and database
– For communication between Agent and database
• Performance OMS bounce in a rolling fashion to minimize the downtime
• Bounce the agent after importing the wallets
• Refer Official Security Guide for complete process
50
Best practices for configuring Two-way SSL server authentication
OMS Client Database Target
Server’s Identity
Client’s Identity
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
51
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 52
53
Centralized and Secure Monitoring of Databases:
An Oracle Enterprise Manager 12c Implementation
Deepen Chakraborty
Enterprise Architect
Technology Manufacturing Group
Intel Corporation
Sep 19, 2016
54
Agenda
Intel's’ DB Monitoring profile and challenges
Centralized Enterprise Manager 12c Cloud Control Architecture
Challenges : E2E monitoring over WAN
Firewall Port Requirements and Implementation
Details of firewall ports configuration
Role Based Administrator Security Setup
Lessons Learned
55
Intel’s Database Profile & Challenges
Intel’s Factory Automation Databases used for making critical Manufacturing decisions (Operational, Planning, Engineering Analysis, Process control)
Automation Databases include both Mission Critical OLTP and Mission Important DSS type systems (Ranging from few hundred Gigs up to 30 TB) spread across US and Asia
Local Implementation of EM10gR2 Stack
Maintenance of monitoring template and notification rules, copy exactly compliance
Patching 14 different installations
Database Profile
Challenges
56
Centralized Enterprise Manager 12c Cloud Control
57
Enterprise Manager 12c Architecture Box Diagram
Targ
ets
in a
Data
cente
r
58
Centralized Enterprise Manager 12c Capabilities
Able to monitor and use all the features of Oracle 11gR2 and 12c databases using EM12c cloud control e.g. real time query performance, real time ADDM, reporting and metrics capabilities etc.
High Availability (Database and Oracle Management Server) – near real time monitoring alerts
Fully Automated Target Setup using dynamic group feature after OMA install
Robust Security (super user, admin user, read-only user)
Target control from target nodes instead of cloud control nodes using EMCLI
No central dependency of the target databases high availability(FSFO capability for targets) and backup recovery
59
Challenges : E2E Monitoring Over WAN
Backup and Recovery
• Even though monitoring of the targets was not a problem over WAN but RMAN catalog based backups were slow from the centralized OMS/OMR
Data Guard Observer
• A reliable and fast connection is prerequisites for Data guard observer in ‘Fast Start Failover’ setup to avoid false failover
Solution
• Local setup of high available nodes providing local recovery catalog database for fast backup and local observer to avoid false failover
60
Firewall Port Implementation
Oracle
Management
Server
Firewall Firewall
77XX
OMS Host
Oracle Management Repository
Target
15XX
48
XX
38XX
11xx
48xx
Target Database
1521
15
xx
Recovery
Cata
log
Firewall
Optimal Network Routing Setup
61
Detail Firewall Port Configuration OMS is Two Node Active Passive Microsoft Cluster Target database is Primary and Physical Standby database
OMS Server Host
Active Node 1 IP Address
Passive Node 1 IP Address
OMS Cluster VIP IP Address
Database Target Host
Database Node 1 IP Address TCP :Grid Listener Port(15xx) TCP:Dataguard Private Port(15xx) TCP:Database Listener Port(15xx) TCP:38xx TCP:18xx
Database Node 2 IP Address
Database Node n IP Address
Database Target Hosts
Database Node 1 IP Address
Database Node 2 IP Address
Database Node n IP Address
OMS Server Host
OMS VIP Address TCP:11xx/48xx
Recovery Catalog Database Host
Primary Recovery Node 1 IP Address
TCP:Database listener port (15xx)
Physical Recovery Node 2 IP Address
TCP: Database listener port (15xx)
Need to follow the steps for all the target servers
62
Role Based Administrator Security Setup Multiple level Administrator created for efficient use of job roles and security
Administrator name
Responsibility
SYSMAN Super Administrator
<SITE>_ADMIN The site admin only can view the targets associated with his/her site
<Group>_ADMIN The group admin is responsible for the group of databases, it can also administer the site admin
<Appl>_ADMIN Application admin responsible for to run application level setup as well as running AWR/ASH along with performance related reports
<Appl>_View_User Application user can view only mode for particular application or group of applications. Credentials are created for access control host, database and for backup
operations Database Host Credentials for each host SYSDBA Database credentials for each database Recovery catalog user credentials as normal database credentials
63
Lessons Learned and Benefits Coordination with Network team
Pre-work with the network team on strategy for enabling port to port communication
Ensure easy troubleshooting of connectivity between the targets and OMS using psping tool , wire shark software for firewall port monitoring
Regular monitoring of Em12c OMR and OMS performance is key to success
EM12c OMA communication with OMS is very stable due to layered communication implementation, it sustains little glitch in the environment
Benefits of Central Monitoring:
Central Dashboard view of all the targets – one stop shop and setup [ example: centralized capacity planning, trending report, custom reporting capability of backups for each target databases, centralized steams latency tracking in geographically different “capture and apply targets”, central inventory of target host names, system metrics and configuration ].
Guaranteed copy exactly monitoring of all targets
One place to make changes makes the system easy to maintain
Thanks to TMG Engg Team for the contributions. Thank You for attending the session.
65
66
67
Application Database Blue Print Data Center 1
Public network
Private network
Storage Network
Primary
DB Instance
Data Center 2
Standby
DB Instance
Grid Infra
Grid Infra
OBSERVER2 OBSERVER1
Broker Enabled Data Guard/SYNC
Mirrored LUN of REDO/Control/Arch logs for Double Failure Coverage
ASM Data & FRA
ASM
Data & FRA
Storage Network
68
Observer and Recovery Catalog Database– In Each Site
Data Center 1
Public network
Private network
Storage Network
Primary
DB Instance
Data Center 2
Standby
DB Instance
Grid Infra
Grid Infra
OBSERVER OBSERVER1
Broker Enabled Data Guard/SYNC
ASM Data & FRA
ASM
Data & FRA
Storage Network
Data Guard (Broker Enabled) Fast -Start Failover Zero Data Loss Configuration (SYNC/Max Availability Mode/Real Time Apply). For Different version of databases we will have multiple observers which will run from different ORACLE_HOME