1 / 78

Oracle Enterprise Manager Security Best Practices

Oracle Enterprise Manager Security Best Practices. Huaqing Wang, Senior Product Manager, Oracle Ravi Pinnamaneni, Consulting Member of Technical Staff, Oracle.

wallace
Télécharger la présentation

Oracle Enterprise Manager Security Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Enterprise Manager Security Best Practices Huaqing Wang, Senior Product Manager, Oracle Ravi Pinnamaneni, Consulting Member of Technical Staff, Oracle

  2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  3. Agenda <Insert Picture Here> • Oracle Enterprise Manager Overview • Security Best Practices • Managing Enterprise Manager Security using Enterprise Manager • Q & A • Appendix

  4. Agenda <Insert Picture Here> • Oracle Enterprise Manager Overview • Security Best Practices • Managing Enterprise Manager Security using Enterprise Manager • Q & A • Appendix

  5. Business-Driven IT Management 6 © 2010 Oracle Corporation

  6. Enterprise Manager Security CertificationCommon Criteria EAL 4+ • Enterprise Manager security feature development process rigorously vetted and certified by independent government agency • Certified with Common Criteria Evaluation Assurance Level (EAL) 4+ with ID# BSI-DSZ-CC-0621-2010 on Aug., 27, 2010 • Comprehensive evaluation process took 2+ years to complete • EAL4+ is highest mutually recognized level among governments worldwide

  7. Oracle Enterprise Manager Architecture Overview Oracle Management Repository • Oracle Management Agent (Management Agent) • An integral software component deployed on each monitored host • Responsible for monitoring and managing the hosts and all the targets running on those hosts, communicating the information (metrics, configurations,etc.) to Oracle Management Service (OMS) Oracle Management Service Grid Control Console Oracle Management Agent

  8. Oracle Enterprise Manager Architecture Overview Oracle Management Repository • Oracle Management Service (OMS) • J2EE Web application that orchestrates with Oracle Management Agents to discover targets, monitor and manage them, and upload the collected information to Oracle Management Repository for future reference and analysis • Renders the user interface for the Grid Control Console Oracle Management Service Grid Control Console Oracle Management Agent

  9. Oracle Enterprise Manager Architecture Overview Oracle Management Repository • Oracle Management Repository (Management Repository) • An Oracle database where all the information (metrics, configurations, etc.) collected by the Oracle Management Agents gets stored Oracle Management Service Grid Control Console Oracle Management Agents

  10. Oracle Enterprise Manager Architecture Overview Oracle Management Repository • Grid Control Console • A web user interface from where you can monitor and administer your entire computing environment Oracle Management Service Grid Control Console Oracle Management Agent

  11. Agenda <Insert Picture Here> • Oracle Enterprise Manager Overview • Security Best Practices • Managing Enterprise Manager Security using Enterprise Manager • Q & A • Appendix

  12. Enterprise Security Considerations and Threats

  13. Enterprise Security Considerations and Threats • Data confidentiality and integrity • Not disclosed to any entities unless they are authorized to access • Not changed, destroyed, or lost in unauthorized or accidental manner • Man-in-the-Middle attacks • Interrupts, intercepts, modifies or fabricates data in transit Interrupted/Stolen OMS Management Agent

  14. Enterprise Security Considerations and Threats • Data Availability • Available and usable upon demand by an authorized entity • Denial-of-Service attacks • Makes Management Repository or OMS unavailable to intended users by flooding them with more requests than they can handle OMS Management Agent Hacker

  15. Enterprise Security Considerations and Threats • Authentication • The process to verify the identity, usually username and password, claimed by a user • Password crack attacks • Obtains password from an authentication exchange, then uses the password to log on to Enterprise Manager Grid Control • For examples: guess, dictionary and brute force attacks

  16. Enterprise Security Considerations and Threats • Segregation of duties • No person should be given responsibility for more than one related function • Exploitation of authorization • Accesses resources (targets, jobs, templates and so on) that he/she should not be authorized to

  17. Enterprise Security Considerations and Threats • Non-repudiation • Network security: Neither sender nor recipient can later deny having processed the information • Web Application security: No one can later deny the actions he/she has taken in the application • Repudiation • Refuses authoring of something that happened

  18. Oracle Enterprise Manager Security Overview • Enterprise Manager Infrastructure Security • Authentication, Authorization and Audit – The Three A’s • Security of target authentications

  19. Enterprise Manager Infrastructure Security Oracle Management Repository • Enterprise Manager Infrastructure Security • Securing individual Enterprise Manager components • Securing communication Oracle Management Service Grid Control Console Management Agent Host Database Application

  20. Infrastructure Security Best Practices Securing Enterprise Manager Components Oracle Management Repository • Harden the machines on which OMS and Management Repository reside • Remove unsecure services such as FTP, telnet, rlogin and so on • Close UDP and TCP ports for services that are disabled • Apply all security patches • Always apply latest relevant CPUs for OS, Oracle Database, Oracle Weblogic Server, OMS and Agents • Use privilege delegation tool such as sudo/Powerbroker for the access to the owner of OMR, OMS and Agent Oracle Homes • Disable owner account , “oracle”, direct log in to hosts • Allow normal users to perform administrative tasks without disclosing password of privileged user Oracle Management Service Grid Control Console Oracle Management Agent

  21. Infrastructure Security Best PracticesOracle Management Repository Oracle Management Repository • Follow best practices for securing the Oracle Database (e.g. Oracle Database Security Checklist) • Restrict operation system access • Limiting the number of OS users with access on Oracle Database host • Restricting the ability for these users to modify the default file/directory permissions of Oracle Home • Restrict network access to the Repository • Check Network IP Address to allow the access to Oracle Database only from authorized nodes • Configure $TNS_ADMIN/protocol.ora file • tcp.validnode_checking=yes • tcp.included_nodes={list of IP addresses} • If Repository is the only database on the host, we can limit the nodes to OMS nodes only • Please refer to the link for more information http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf Oracle Management Service Grid Control Console Oracle Management Agent

  22. Infrastructure Security Best PracticesOracle Management Service Oracle Management Repository • Follow best practices for securing Oracle Weblogic Server (Securing the Production Environment for Oracle Weblogic Server) • Protect WebLogic Server Home directory especially domain directory which contains configuration files, security files, log files and other Java EE resources for the Weblogic domain. • Grant only one OS user who runs Weblogic Server the access privilege to the directory • Create no fewer than two user accounts with system administrator privileges • To ensure one user maintains account access in case another user becomes locked out by a dictionary/brute force attack • Please refer to http://download.oracle.com/docs/cd/E12839_01/web.1111/e13705.pdf for more information Oracle Management Service Grid Control Console Oracle Management Agent

  23. Infrastructure Security Best PracticesOracle Management Agent Oracle Management Repository • Deploy agent via pushing agents from OMS • Secure Shell (SSH) protocol is used in this approach, which ensures the confidentiality and integrity of agent installation • Use complex one-time registration passwords with reasonable expiry date • Registration password combined with random keys generated by OMS and agent is used to produce agent key to register and secure the agent • Protect against the possibility of unauthorized agents accessing OMS Oracle Management Service Grid Control Console Oracle Management Agent

  24. Oracle Enterprise Manager Security Overview Oracle Management Repository • Enterprise Manager Infrastructure Security • Securing individual Enterprise Manager components • Securing communication Oracle Management Service Grid Control Console Management Agent Host Database Application

  25. Infrastructure Security Best PracticesSecuring Communication Overview Oracle Management Repository • Various communications within Enterprise Manager • Between OMS and agent (Bidirectional) • Between browsers and OMS • Between OMS and Management Repository • Between OMS and targets • Communications in firewall environments Firewall Grid Control Console Oracle Management Service Firewall Management Agent Firewall Host Database Application

  26. Infrastructure Security Best PracticesSecuring Communication Between OMS and Agents Oracle Management Repository • Securing communication between OMS and Agents (Bidirectional) • It is secure locked out-of-box (10.2.0.5 and after), which means the communication is only over HTTPS • Security aspects of communication over HTTPS • What secure protocol is used • Secure Socket Layer (SSL) v3 • Transportation Layer Security (TLS) v1 • What strong cipher suites are used • Is certificate from well-known Certificate Authority (CA) Grid Control Console Oracle Management Service Management Agent Host Database Application

  27. Infrastructure Security Best PracticesSecuring communication • Enable TLS v1 only for communication between OMS and Management Agents • OMS: • emctl stop oms • emctl secure oms -protocol TLSv1 • Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh. • emctl start oms • Agent: • Update $Agent_Home/sysman/config/emd.properties • allowTLSonly=true Oracle Management Repository Grid Control Console Oracle Management Service TLS v1 Oracle Management Agent

  28. Infrastructure Security Best PracticesSecuring Communication Overview Oracle Management Repository • Various communications within Enterprise Manager • Between OMS and agent (Bidirectional) • Between browsers and OMS • Between OMS and Management Repository • Between OMS and targets • Communications in firewall environments Firewall Grid Control Console Oracle Management Service Firewall Management Agent Firewall Host Database Application

  29. Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls Firewalls are commonplace in most mature and modern IT infrastructures Two areas where Enterprise Manager and firewalls will interact Navigate between Enterprise Manager components separated by firewalls Communicate with managed targets that are behind firewalls Enterprise Manager is designed to cope with both cases but…. …this is one of the least understood areas when deploying Enterprise Manager in a secure environment Oracle Management Repository Firewall Grid Control Console Oracle Management Service Firewall Management Agent Firewall Host Database Application

  30. Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls Oracle Management Repository • Best Practices: • Get firewalls into first design of the solution • Carefully analyze your protocol requirements between Enterprise Manager and the Managed Targets in your environment, e.g., • HTTP/HTTPS for communication between OMS and Agents • SQL*Net for the communication between OMS and Oracle Database targets • ICPM and UDP for the communication between beacons and managed targets • Consider placement of OMSs when laying down your Enterprise Manager topology • Work closely with the network team on design of groups and Access Control List (ACL) for groups of targets Firewall Grid Control Console Oracle Management Service Firewall Management Agent Firewall Host Database Application

  31. Infrastructure Security Best PracticesConfiguring Enterprise Manager for Firewalls Lots of different permutations with Enterprise Manager when dealing with Firewalls…. Configuring agents on a host protected by a firewall Configuring OMS on a host protected by a firewall Firewalls between OMS and OMR Firewall between your browser and Grid Grid Control Firewalls between the Grid Control and a managed database target Firewalls used with multiple OMS …… Let’s take a tour through some of these Oracle Management Repository Firewall Grid Control Console Oracle Management Service Firewall Management Agent Firewall Host Database Application

  32. Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls • Configure Oracle Management Agent on a host protected by a firewall • Configure Oracle Management Agent to use proxy server for its upload to OMS • Update the following parameters in file $AGENT_HOME/sysman/config/emd.properties REPOSITORY_PROXYHOST=proxyhostname.domain REPOSITORY_PROXYPORT =port • If authentication is required, edit the following parameters as well REPOSITORY_PROXYREALM=realm REPOSITORY_PROXYUSER=proxyuser REPOSITORY_PROXYPWD=proxypassword • Configure firewall to allow inbound communication from OMS to Agent • Port 3872 (default) • Port range1830-1849 (non-default) Oracle Management Repository Grid Control Console Oracle Management Service Firewall Oracle Management Agent Oracle Management Agent

  33. Infrastructure Security Best PracticesConfigure Enterprise Manager for Firewalls • Configure Oracle Management Service on a host protected by a firewall • Configure OMS to use proxy server for its communication to agents outside the firewall • Update the following OMS properties via emctl set property command: • emctl set property –name <property> -value <value> PROXYHOST=proxyhostname.domain PROXYPORT =port • If there are some agents on the hosts that are inside the firewall, set dontProxyfor property for these hosts dontPROXYFor = hostname1,hostname2 • Configure firewall to allow inbound communication from Agents to OMS • Default HTTP/HTTPS Ports: 4889/1159 • Non-default port range 4890-4897/4898-4908 Oracle Management Repository Grid Control Console Oracle Management Service Firewall Oracle Management Agent

  34. Oracle Enterprise Manager Security Overview • Enterprise Manager Infrastructure Security • Authentication, Authorization and Audit – The Three A’s • Security of target authentications

  35. Audit Authentication, Authorization and Auditing The Three A’s • Authentication • Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control • Authorization • Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. • Audit • Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Application Servers Jobs, Templates Reports, etc Applications Databases Hosts

  36. Audit Authentication, Authorization and Auditing The Three A’s • Authentication • Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control • Authorization • Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. • Audit • Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Application Servers Jobs, Templates Reports, etc Applications Databases Hosts

  37. OSSO LDAP Server EUS The Three A’s Best PracticesAuthentication • Repository-based authentication (Default) • Use password profile to enforce the password control such as password complexity, failed login attempt, password reuse max, password life time, etc. • Leverage Grid Control user authentication to Oracle Single Sign-on (OSSO) or Enterprise User Security (EUS) • Simplify the identity management across the enterprise • Both SSO and EUS enable your users to authenticate to Grid Control by using their credentials stored in LDAP server Default Oracle Management Repository(OMR) Oracle Enterprise Manager

  38. The Three A’s Best PracticesAuthentication • Disable SYSMAN logging into Grid Control console by issuing the following SQL statement on Repository UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’-1’WHERE user_name=’SYSMAN’ • If you want to enable SYSMAN logging into Grid Control Console later on: UPDATE MGMT_CREATED_USERSSET SYSTEM_USER=’1’WHERE user_name=’SYSMAN’ • Change password for both SYSMAN and MGMT_VIEW on a regular basis • Prevent password crack attacks • emctl config oms -change_repos_pwd -change_in_db • emctl config oms –change_view_user_pwd

  39. Audit Authentication, Authorization and Auditing The Three A’s • Authentication • Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control • Authorization • Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. • Audit • Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Application Servers Jobs, Templates Reports, etc Applications Databases Hosts

  40. The Three A’s Best Practices Authorization Overview • Two-step authorization process enables fine-grained access and segregation of duties: • Enterprise Manager authorization • Controls the access to the resources and functionalities within Enterprise Manager • Manage target metrics thresholds • Set alert notification rules • Enable/disable Enterprise Manager packs • Target authorization • Controls the access to the resources and functionalities within the target • CREATE new TABLE • Back-up database • Tune SQL • Enforced by target security model • Depends on the credential used to connect to the target Oracle Enterprise Manager Oracle Enterprise Manager Enterprise Manager Authorization Connect to target View Reports Blackout Targets Submit Jobs Manage Metrics Target Target Manage Alerts …… Target Authorization Application Servers Jobs, Templates Reports, etc Target Target Target Applications Databases Hosts

  41. The Three A’s Best Practices Authorization Overview SQLTuning DBA • Example: • Create new user, SQLTuningDBA, who is only responsible for tuning 2 of 100 managed database targets • Enterprise Manager authorization • Create EM user SQLTuningDBA • Grant VIEW Target Privilege on the 2 DB targets of interest • Target authorization • Target credentials used should have the following database privileges • select_any_catalog • administer sql tuning set • execute on dbms_workload_repository Oracle Enterprise Manager Connect as database user B Connect as database user A Database 1 Database 2 Databases

  42. The Three A’s Best Practices Enterprise Manager Authorization Overview What type of administrator should the new user be? • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators

  43. The Three A’s Best Practices Enterprise Manager Authorization Overview • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators What type of administrator should the new user be? • Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., • Should the user be able to VIEW any targets • Should the user be able to ADD new targets? What System Privilege(s) should the user have?

  44. The Three A’s Best Practices Enterprise Manager Authorization Overview • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators What type of administrator should the new user be? • Should the user only be able to monitor the databases of his own department? What System Privilege(s) should the user have? What target should the user be able to access? • Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., • Should the user be able to VIEW any targets • Should the user be able to ADD new targets?

  45. The Three A’s Best Practices Enterprise Manager Authorization Overview • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators • Enterprise Manager provides 7 Target Privileges, e.g., • Should the user be able to blackout target 1, 2 and 3? • Should the user be able to change metric threshold setting for target 4, 5 and 6? • Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? • Should the user only be able to monitor the databases of his own department? • Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., • Should the user be able to VIEW any targets • Should the user be able to ADD new targets?

  46. The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges, e.g., • Should the user be able to blackout target 1, 2 and 3? • Should the user be able to change metric threshold setting for target 4, 5 and 6? • Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators • If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user? • Privilege Propagating Group – Privileges granted on the group automatically granted on its members What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? Privilege Propagating Group • Should the user only be able to monitor the databases of his own department? • Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., • Should the user be able to VIEW any targets • Should the user be able to ADD new targets?

  47. The Three A’s Best Practices Enterprise Manager Authorization Overview • Enterprise Manager provides 7 Target Privileges, e.g., • Should the user be able to blackout target 1, 2 and 3? • Should the user be able to change metric threshold setting for target 4, 5 and 6? • Whether the user is able to tune performance of target 1 depends on the credential he uses to connect to target 1 • Normal Enterprise Manager Administrator • Has NO access to anything unless granted privileges • Super Administrator • Has FULL privileges on all targets and the ability to create Super Administrators Role • If there are a set of users sharing the same responsibilities, do we have to grant all the individual privileges one by one to these users? • Role -- Set of privileges What type of administrator should the new user be? What Target Privilege(s) should the user have What System Privilege(s) should the user have? What targets should the user be able to access? • If groups of targets are always monitored and managed in the same way, do we have to grant the privileges on these individual targets to the user? • Privilege Propagating Group – Privileges granted on the group automatically granted on its members Privilege Propagating Group • Should the user only be able to monitor the databases of his own department? • Enterprise Manager offers 10 System Privileges (4 new in 11g Release 1),e.g., • Should the user be able to VIEW any targets • Should the user be able to ADD new targets?

  48. The Three A’s Best Practices Enterprise Manager Authorization • Reduce the number of Super Administrators • Super Administrators have FULL privilege on all targets and could create additional Super Administrators • Grant only the minimum set of privileges • Follow the principle of least privilege to grant only the minimum set of privileges to the users to fulfill his responsibility • Achieve segregation of duties and simplify authorization management • Grant roles instead of individual privileges to users • Use roles along with Privilege Propagating groups • Monitor privilege/role operations through Enterprise Manager Auditing Oracle Enterprise Manager Authorization Application Servers Jobs, Templates Reports, etc Applications Databases Hosts

  49. Audit Authentication, Authorization and Auditing The Three A’s • Authentication • Determines whether someone is in fact who it is declared to be while accessing Enterprise Manager Grid Control • Authorization • Provides access control to secure resources and functionalities within Enterprise Manager such as targets, jobs, templates, reports, etc. • Audit • Keeps track of the actions happened within Enterprise Manager to prevent repudiation Oracle Enterprise Manager Authentication Authorization View Reports Blackout Targets Submit Jobs Manage Metrics Manage Alerts …… Application Servers Jobs, Templates Reports, etc Applications Databases Hosts

More Related