tips and tricks for hardening oracle fusion middleware 16-9

Tips and Tricksfor hardening

Oracle Fusion Middlewarea presentation by

Jacco Landlust & Simon Haslam

zaterdag 8 december 12

Jacco H. Landlust

• 35 years old

• Deventer, the Netherlands

2

IntroductionFirewallTrack & TraceSSLMisc


Jacco H. Landlust / iDBA

• Independent Red Stack Administrator

• Oracle since 2000

• Oracle ACE since 2006

• iDBA since 2010

• Architecture, Clustering, High Availability, Performance & Management

3



Simon Haslam

• Over 35 years old

• Sherborne, UK

4



• Oracle since 1996 (UNIX since 1989)

• Founded Veriton in 1996

• Oracle ACE Director since 2009

• Chair of the UKOUG Application Server & Middleware SIG

• Architecture, Design, Installation

• http://simonhaslam.co.uk

Simon Haslam

5



http://simonhaslam.co.uk

http://simonhaslam.co.uk

Why present together?

• Lone wolf pack

• We just like to talk, share ideas and discuss Oracle Fusion Middleware administrator topics

• Jointly organised Middleware Sunday at UKOUG12

6



Prerequisites & Disclaimer

• Background knowledge about middleware is assumed

• Best practices of our (limited) experience

• We do not pretend this list is complete

• We do not work for Oracle / represent Oracle

• This list worked for us, do not apply measures without evaluating

7



Tips and Tricksfor hardening

Oracle Fusion Middleware

8



What is Hardening?There is not one definition, it is a set of best practices

Minimal Guidance is available in the Oracle Documentation set for FMW 11g Products

Only harden when your initial configuration is complete

9



List of Topics

• Firewall• Track & Trace• SSL• Miscellaneous

10



Architecture

• Decide upon definitions in your team

• Document your train of thoughts

• We love pictures

• Segregation of environments (DTAP)

• Start with security measures as soon as possible

11



Architecture

• Separate system components from Java components

• Separate directories

• Separate binaries from configuration

• Separate AdminServer from Managed Servers

• Standardize & automate as much as possible

12



Architecture

• Tiered architecture

• Think about access to components:

• from where?

• to what?

• by whom?

• if you are not using a component: don’t configure it

13



Architecture

14



158



Motivation for (Additional) Firewalling

• You are not the only service in the DMZ (you are in the DMZ, right?)

• Finer grained access to services

16



(Additional) Firewalling

Operating System provided (iptables, Windows Firewall, etc)

or

Connection based (WebLogic’s Network Connection Filters)

17



Network Connection Filter

• Connection filters let you deny access at the network level

• Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names

• Reminder: rules are domain wide

18



Connection Filter Rules Syntax

Each rule must be written on a single line.

• Tokens in a rule are separated by white space.

• A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.

• Whitespace before or after a rule is ignored.

• When entering the filter rules on the Administration Console, enter them in the following format: target localAddress localPort action protocols

• If no protocol is defined, all protocols will match a rule

• The rules are evaluated in the order in which they were written

19



Example: Setup filter to block all non-http traffic

127.0.0.1 * 7001 allow192.168.56.101 * 7001 allow0.0.0.0/0 * 7001 allow http0.0.0.0/0 * 7001 deny

20




weblogic.security.net.ConnectionFilterImpl

21




<29-sep-2012 11:58:00 uur CEST> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=192.168.56.1,port=49182,localport=7001],

weblogic.security.net.FilterException: [Security:090220]rule 4>

22


127.0.0.1 * 7001 allow192.168.56.101 * 7001 allow0.0.0.0/0 * 7001 allow http0.0.0.0/0 * 7001 deny


List of Topics


23



Motivation for Auditing

Trace administration activity to humans

24



Auditing

• By default Loglevel INFO is needed

• Security Audit Framework is best practice

• Filebased for WebLogic

• Database audit store for FMW components

25



Security Audit Framework architecture

26



Motivation for Personal Accounts

• Trace administrative actions to a human (instead of weblogic)

• Least privileges / separation of duties

• Easier to revoke privileges

27



Personal Accounts

• Authentication providers

• Identity assertion authentication provider

• JAAS control flags

• Order of providers matters

• Most FMW layered products only find group memberships (and groups) for the first provider

28



Role Based Privileges

• For WebLogic configured in /console

• For most Fusion Middleware application configured in /em

• Policy store provider in LDAP (e.g. OID, AD) or Database

29



List of Topics


30



Motivation for SSL

• Protect (sensitive) data from being stolen while transported

• Usually obliged by security department to provide SSL to some degree: from just login details from webserver to client PC, through to all inter-process communications

31



Secure Sockets Layer /Transport Layer Security

• TLS and predecessor SSL are cryptographic protocols

• The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

32



How does it work?

1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.

2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certificate.

3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4.

4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.

5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certificate to the server along with the encrypted pre-master secret.

33



How does it work?

6. If the server has requested client authentication, the server attempts to authenticate the client (see Client Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret.

7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection).

8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.

9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.

source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer

34



http://en.wikipedia.org/wiki/Secure_Sockets_Layer

http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Key Information

• Identity store: information to uniquely and securely identify yourself

• Truststore: knowledge of whom to trust

35



Different Components, Different Keystores

• All java components use Java key stores (by default)

• All system components use Oracle Wallets

• Most system components need auto-login wallets

• Default certificate authority root certificates are stored with JRE

• Do not run production on demo certificates

36



When using WLST

• -Dweblogic.security.SSL.trustedCAKeyStore=/path/to/truststore.jks

• Setup WLST_PROPERTIES in ${MW_HOME}/wlserver_10.3/common/bin/wlst.sh

• Preferably create a wrapper script outside of your middleware home

37



Nodemanager

• Setup in nodemanager.properties

KeyStores=CustomIdentityAndCustomTrustCustomIdentityKeyStoreFileName=identity.jksCustomIdentityKeyStorePassPhrase=Welcome01CustomIdentityAlias=ukoug12demo.area51.localCustomIdentityPrivateKeyPassPhrase=Welcome01CustomTrustKeyStoreFileName=truststore.jks

38



WebLogic Servers

• Change keystoretype to “Custom Identity & Custom Trust”, or “Custom Identity & Java Standard Trust”

• Configure Identity Keystore & Private Key Alias

• Configure Trust Keystore (if Custom Trust)

• No disabling of hostname verification

• 2 way SSL if possible

39



Layered Products

• Most can be configured from Enterprise Manager (you must have the administrator role for configuration!)

• Credential Maps are stored in an Oracle Wallet

• Setup SSL in mod_wl_ohs.conf to encrypt traffic between OHS and WLS, see MOS 1485016.1 for appropriate patches

40



Motivation for Domain Wide Administration Port

• Separation of administration traffic from application traffic in your domain

• Since communication by SSL is a prerequisite, administration traffic (which includes such things as administrator passwords) is more secure

41



Additional benefits

• Runs administrative actions on separate threads from application threads

• You can start a server in standby state

42



Caveats

• All servers in your domain must be configured with support for the SSL protocol

• Port conflicts, override per managed server if you have multiple managed servers on one node

• Inter-layered product communication usually runs as user weblogic / a user with the administrator role

• Registering system components can be more difficult

43



Example: Domain Wide Administration Port

44



Example: Domain Wide Administration Port

Console/Management requests or requests with <require-admin-traffic> specified to 'true' can only be made

through an administration channel

WLSTException: Error occured while performing connect : User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.

45



List of Topics


46



Motivation for Database Considerations

Same arguments as for SSL:

if all your traffic needs to be encrypted, also encrypt database connectivity

47



Database Considerations

• If possible: Setup repository before you harden your database

• Harden the database according to one of the whitepapers on OTN --> be aware that some features break RCU / Middleware setups.

• JDBC over SSL

• Securing ONS

• Proxy Users

48



Database Considerations

http://docs.oracle.com/cd/E11882_01/license.112/e10594/options.htm#CIHGHJBE

Oracle Real Application Clusters includes the following features:

• Real Application Clusters• Connection Load Balancing• Fast Connection Failover• Hot Cluster Failover• Oracle Advanced Security SSL/TLS• Includes all the capabilities of Oracle RAC One Node

49





Motivation for Separating Binaries from Configuration

• Minimizing privileges of runtime users

• More important when running multiple domains from one software home

50



Separate binaries from configuration

• Runtime users secondary group is primary group of binary owner

• Choose the correct umask [022 | 027] when installing software

• Need to fix privileges on some files / directories

• One nodemanager per runtime user

51



Caveats

• Binary of system componend needs to be owned by runtime user (e.g. apachectl , or oidldapd)

• Different layared products have different requirements

• Support: if you run into trouble you might need to change privileges back to the original setup. A revert script would turn out to be useful.

52



Example: Fix Privileges for User Separationfind ${MW_HOME} -type d -exec chmod g+rx {} \;

find ${MW_HOME} -type f -exec chmod g+r {} \;

chmod g+w ${MW_HOME}/logs

touch ${MW_HOME}/domain-registry.xml

chmod g+w ${MW_HOME}/domain-registry.xml

touch ${MW_HOME}/common/nodemanager/nodemanager.domains

chmod g+w ${MW_HOME}/wlserver_10.3/common/nodemanager/nodemanager.domains

chmod g+w ${MW_HOME}/wlserver_10.3/server/lib

chmod g+w ${MW_HOME}/wlserver_10.3/server/lib/*.jks

chmod g+w ${MW_HOME}/oracle_common/sysman

chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.sslConfig

chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.joc_demo_keystore.jks

chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.KEYSTORE

find ${MW_HOME} -name perl -exec chmod g+rx {} \;

find ${MW_HOME} -name emagent -exec chmod g+rx {} \;

find ${MW_HOME} -name emctl -exec chmod g+rx {} \;

find ${MW_HOME} -name emdctl -exec chmod g+rx {} \;

chown root ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl

chmod 6750 ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl

chown ${DOMUSR} ${MW_HOME}/Oracle_WT1/ohs/bin/apachectl

53



Summary

• Shutdown / deinstall whatever you don’t use.

• Restrict access to components by firewalling

• Audit everything and make changes traceble to humans

• Encrypt traffic with SSL as much as possible

54


Q&A

55


tips and tricks for hardening oracle fusion middleware 16-9

Documents