tips and tricks for hardening oracle fusion middleware 16-9
TRANSCRIPT
Tips and Tricksfor hardening
Oracle Fusion Middlewarea presentation by
Jacco Landlust & Simon Haslam
zaterdag 8 december 12
Jacco H. Landlust
• 35 years old
• Deventer, the Netherlands
2
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Jacco H. Landlust / iDBA
• Independent Red Stack Administrator
• Oracle since 2000
• Oracle ACE since 2006
• iDBA since 2010
• Architecture, Clustering, High Availability, Performance & Management
3
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Simon Haslam
• Over 35 years old
• Sherborne, UK
4
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
• Oracle since 1996 (UNIX since 1989)
• Founded Veriton in 1996
• Oracle ACE Director since 2009
• Chair of the UKOUG Application Server & Middleware SIG
• Architecture, Design, Installation
• http://simonhaslam.co.uk
Simon Haslam
5
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Why present together?
• Lone wolf pack
• We just like to talk, share ideas and discuss Oracle Fusion Middleware administrator topics
• Jointly organised Middleware Sunday at UKOUG12
6
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Prerequisites & Disclaimer
• Background knowledge about middleware is assumed
• Best practices of our (limited) experience
• We do not pretend this list is complete
• We do not work for Oracle / represent Oracle
• This list worked for us, do not apply measures without evaluating
7
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Tips and Tricksfor hardening
Oracle Fusion Middleware
8
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
What is Hardening?There is not one definition, it is a set of best practices
Minimal Guidance is available in the Oracle Documentation set for FMW 11g Products
Only harden when your initial configuration is complete
9
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
List of Topics
• Firewall• Track & Trace• SSL• Miscellaneous
10
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Architecture
• Decide upon definitions in your team
• Document your train of thoughts
• We love pictures
• Segregation of environments (DTAP)
• Start with security measures as soon as possible
11
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Architecture
• Separate system components from Java components
• Separate directories
• Separate binaries from configuration
• Separate AdminServer from Managed Servers
• Standardize & automate as much as possible
12
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Architecture
• Tiered architecture
• Think about access to components:
• from where?
• to what?
• by whom?
• if you are not using a component: don’t configure it
13
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Architecture
14
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
158
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for (Additional) Firewalling
• You are not the only service in the DMZ (you are in the DMZ, right?)
• Finer grained access to services
16
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
(Additional) Firewalling
Operating System provided (iptables, Windows Firewall, etc)
or
Connection based (WebLogic’s Network Connection Filters)
17
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Network Connection Filter
• Connection filters let you deny access at the network level
• Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names
• Reminder: rules are domain wide
18
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Connection Filter Rules Syntax
Each rule must be written on a single line.
• Tokens in a rule are separated by white space.
• A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.
• Whitespace before or after a rule is ignored.
• When entering the filter rules on the Administration Console, enter them in the following format: target localAddress localPort action protocols
• If no protocol is defined, all protocols will match a rule
• The rules are evaluated in the order in which they were written
19
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Setup filter to block all non-http traffic
127.0.0.1 * 7001 allow192.168.56.101 * 7001 allow0.0.0.0/0 * 7001 allow http0.0.0.0/0 * 7001 deny
20
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Setup filter to block all non-http traffic
weblogic.security.net.ConnectionFilterImpl
21
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Setup filter to block all non-http traffic
<29-sep-2012 11:58:00 uur CEST> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=192.168.56.1,port=49182,localport=7001],
weblogic.security.net.FilterException: [Security:090220]rule 4>
22
IntroductionFirewallTrack & TraceSSLMisc
127.0.0.1 * 7001 allow192.168.56.101 * 7001 allow0.0.0.0/0 * 7001 allow http0.0.0.0/0 * 7001 deny
zaterdag 8 december 12
List of Topics
• Firewall• Track & Trace• SSL• Miscellaneous
23
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for Auditing
Trace administration activity to humans
24
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Auditing
• By default Loglevel INFO is needed
• Security Audit Framework is best practice
• Filebased for WebLogic
• Database audit store for FMW components
25
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Security Audit Framework architecture
26
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for Personal Accounts
• Trace administrative actions to a human (instead of weblogic)
• Least privileges / separation of duties
• Easier to revoke privileges
27
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Personal Accounts
• Authentication providers
• Identity assertion authentication provider
• JAAS control flags
• Order of providers matters
• Most FMW layered products only find group memberships (and groups) for the first provider
28
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Role Based Privileges
• For WebLogic configured in /console
• For most Fusion Middleware application configured in /em
• Policy store provider in LDAP (e.g. OID, AD) or Database
29
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
List of Topics
• Firewall• Track & Trace• SSL• Miscellaneous
30
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for SSL
• Protect (sensitive) data from being stolen while transported
• Usually obliged by security department to provide SSL to some degree: from just login details from webserver to client PC, through to all inter-process communications
31
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Secure Sockets Layer /Transport Layer Security
• TLS and predecessor SSL are cryptographic protocols
• The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.
32
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
How does it work?
1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certificate to the server along with the encrypted pre-master secret.
33
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
How does it work?
6. If the server has requested client authentication, the server attempts to authenticate the client (see Client Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.
source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer
34
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Key Information
• Identity store: information to uniquely and securely identify yourself
• Truststore: knowledge of whom to trust
35
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Different Components, Different Keystores
• All java components use Java key stores (by default)
• All system components use Oracle Wallets
• Most system components need auto-login wallets
• Default certificate authority root certificates are stored with JRE
• Do not run production on demo certificates
36
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
When using WLST
• -Dweblogic.security.SSL.trustedCAKeyStore=/path/to/truststore.jks
• Setup WLST_PROPERTIES in ${MW_HOME}/wlserver_10.3/common/bin/wlst.sh
• Preferably create a wrapper script outside of your middleware home
37
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Nodemanager
• Setup in nodemanager.properties
KeyStores=CustomIdentityAndCustomTrustCustomIdentityKeyStoreFileName=identity.jksCustomIdentityKeyStorePassPhrase=Welcome01CustomIdentityAlias=ukoug12demo.area51.localCustomIdentityPrivateKeyPassPhrase=Welcome01CustomTrustKeyStoreFileName=truststore.jks
38
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
WebLogic Servers
• Change keystoretype to “Custom Identity & Custom Trust”, or “Custom Identity & Java Standard Trust”
• Configure Identity Keystore & Private Key Alias
• Configure Trust Keystore (if Custom Trust)
• No disabling of hostname verification
• 2 way SSL if possible
39
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Layered Products
• Most can be configured from Enterprise Manager (you must have the administrator role for configuration!)
• Credential Maps are stored in an Oracle Wallet
• Setup SSL in mod_wl_ohs.conf to encrypt traffic between OHS and WLS, see MOS 1485016.1 for appropriate patches
40
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for Domain Wide Administration Port
• Separation of administration traffic from application traffic in your domain
• Since communication by SSL is a prerequisite, administration traffic (which includes such things as administrator passwords) is more secure
41
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Additional benefits
• Runs administrative actions on separate threads from application threads
• You can start a server in standby state
42
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Caveats
• All servers in your domain must be configured with support for the SSL protocol
• Port conflicts, override per managed server if you have multiple managed servers on one node
• Inter-layered product communication usually runs as user weblogic / a user with the administrator role
• Registering system components can be more difficult
43
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Domain Wide Administration Port
44
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Domain Wide Administration Port
Console/Management requests or requests with <require-admin-traffic> specified to 'true' can only be made
through an administration channel
WLSTException: Error occured while performing connect : User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.
45
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
List of Topics
• Firewall• Track & Trace• SSL• Miscellaneous
46
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for Database Considerations
Same arguments as for SSL:
if all your traffic needs to be encrypted, also encrypt database connectivity
47
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Database Considerations
• If possible: Setup repository before you harden your database
• Harden the database according to one of the whitepapers on OTN --> be aware that some features break RCU / Middleware setups.
• JDBC over SSL
• Securing ONS
• Proxy Users
48
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Database Considerations
http://docs.oracle.com/cd/E11882_01/license.112/e10594/options.htm#CIHGHJBE
Oracle Real Application Clusters includes the following features:
• Real Application Clusters• Connection Load Balancing• Fast Connection Failover• Hot Cluster Failover• Oracle Advanced Security SSL/TLS• Includes all the capabilities of Oracle RAC One Node
49
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Motivation for Separating Binaries from Configuration
• Minimizing privileges of runtime users
• More important when running multiple domains from one software home
50
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Separate binaries from configuration
• Runtime users secondary group is primary group of binary owner
• Choose the correct umask [022 | 027] when installing software
• Need to fix privileges on some files / directories
• One nodemanager per runtime user
51
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Caveats
• Binary of system componend needs to be owned by runtime user (e.g. apachectl , or oidldapd)
• Different layared products have different requirements
• Support: if you run into trouble you might need to change privileges back to the original setup. A revert script would turn out to be useful.
52
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Example: Fix Privileges for User Separationfind ${MW_HOME} -type d -exec chmod g+rx {} \;
find ${MW_HOME} -type f -exec chmod g+r {} \;
chmod g+w ${MW_HOME}/logs
touch ${MW_HOME}/domain-registry.xml
chmod g+w ${MW_HOME}/domain-registry.xml
touch ${MW_HOME}/common/nodemanager/nodemanager.domains
chmod g+w ${MW_HOME}/wlserver_10.3/common/nodemanager/nodemanager.domains
chmod g+w ${MW_HOME}/wlserver_10.3/server/lib
chmod g+w ${MW_HOME}/wlserver_10.3/server/lib/*.jks
chmod g+w ${MW_HOME}/oracle_common/sysman
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.sslConfig
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.joc_demo_keystore.jks
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.KEYSTORE
find ${MW_HOME} -name perl -exec chmod g+rx {} \;
find ${MW_HOME} -name emagent -exec chmod g+rx {} \;
find ${MW_HOME} -name emctl -exec chmod g+rx {} \;
find ${MW_HOME} -name emdctl -exec chmod g+rx {} \;
chown root ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl
chmod 6750 ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl
chown ${DOMUSR} ${MW_HOME}/Oracle_WT1/ohs/bin/apachectl
53
IntroductionFirewallTrack & TraceSSLMisc
zaterdag 8 december 12
Summary
• Shutdown / deinstall whatever you don’t use.
• Restrict access to components by firewalling
• Audit everything and make changes traceble to humans
• Encrypt traffic with SSL as much as possible
54
zaterdag 8 december 12
Q&A
55
zaterdag 8 december 12