Oracle Advanced Support Gateway

Security Guide

Part No: E40643-09

June 2015
Part No: E40643-09
Copyright 2015, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except
as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,
publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered
to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or
documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous
applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all
appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of
SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered
trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are
not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement
between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,
products, or services, except as set forth in an applicable agreement between you and Oracle.
Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Rfrence: E40643-09
Copyright 2015, Oracle et/ou ses affilis. Tous droits rservs.
Ce logiciel et la documentation qui laccompagne sont protgs par les lois sur la proprit intellectuelle. Ils sont concds sous licence et soumis des restrictions dutilisation et
de divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, breveter, transmettre, distribuer,
exposer, excuter, publier ou afficher le logiciel, mme partiellement, sous quelque forme et par quelque procd que ce soit. Par ailleurs, il est interdit de procder toute ingnierie
inverse du logiciel, de le dsassembler ou de le dcompiler, except des fins dinteroprabilit avec des logiciels tiers ou tel que prescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans pravis. Par ailleurs, Oracle Corporation ne garantit pas quelles soient exemptes derreurs et vous
invite, le cas chant, lui en faire part par crit.
Si ce logiciel, ou la documentation qui laccompagne, est concd sous licence au Gouvernement des Etats-Unis, ou toute entit qui dlivre la licence de ce logiciel ou lutilise pour
le compte du Gouvernement des Etats-Unis, la notice suivante sapplique:
U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered
to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or
documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
Ce logiciel ou matriel a t dvelopp pour un usage gnral dans le cadre dapplications de gestion des informations. Ce logiciel ou matriel nest pas conu ni nest destin
tre utilis dans des applications risque, notamment dans des applications pouvant causer des dommages corporels. Si vous utilisez ce logiciel ou matriel dans le cadre
dapplications dangereuses, il est de votre responsabilit de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures ncessaires son utilisation dans
des conditions optimales de scurit. Oracle Corporation et ses affilis dclinent toute responsabilit quant aux dommages causs par lutilisation de ce logiciel ou matriel pour ce
type dapplications.
Oracle et Java sont des marques dposes dOracle Corporation et/ou de ses affilis. Tout autre nom mentionn peut correspondre des marques appartenant dautres propritaires
quOracle.
Intel et Intel Xeon sont des marques ou des marques dposes dIntel Corporation. Toutes les marques SPARC sont utilises sous licence et sont des marques ou des marques
dposes de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques dposes dAdvanced Micro Devices. UNIX est une
marque dpose dThe Open Group.
Ce logiciel ou matriel et la documentation qui laccompagne peuvent fournir des informations ou des liens donnant accs des contenus, des produits et des services manant de
tiers. Oracle Corporation et ses affilis dclinent toute responsabilit ou garantie expresse quant aux contenus, produits ou services manant de tiers, sauf mention contraire stipule
dans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affilis ne sauraient tre tenus pour responsables des pertes subies, des cots occasionns ou des
dommages causs par laccs des contenus, produits ou services tiers, ou leur utilisation, sauf mention contraire stipule dans un contrat entre vous et Oracle.
Accessibilit de la documentation

Pour plus dinformations sur lengagement dOracle pour laccessibilit la documentation, visitez le site Web Oracle Accessibility Program, l'adresse http://www.oracle.com/
pls/topic/lookup?ctx=acc&id=docacc.
Accs au support lectronique

Les clients Oracle qui ont souscrit un contrat de support ont accs au support lectronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/
pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous tes malentendant.
Contents

Oracle Advanced Support Gateway Security Guide........................................... 7

About the Oracle Advanced Support Gateway...................................................... 7
General Requirements...................................................................................... 8
Changes to the Security Guide Since the Last Release........................................... 8
Firewall Port Requirements...............................................................................9
External Connection.......................................................................................10
SSL VPN and Oracle Advanced Support Gateway.......................................10
Alternative External Connection Option.................................................... 11
Internal Connection....................................................................................... 11
Network Protocol and Port Matrix.................................................................... 11
External Traffic Firewall Rules Table........................................................ 12
Internal Traffic Firewall Rules Tables....................................................... 12
External Traffic Through the Encrypted VPN Tunnel................................... 18
Audit Logging Feature................................................................................... 18
Enabling and Disabling Logging Messages................................................ 20

5
6 Oracle Advanced Support Gateway Security Guide June 2015
 Oracle Advanced Support Gateway Security
Guide

This document outlines the requirements for deploying the Oracle Advanced Support Gateway
(OASG) into the customer environment to support the delivery of Oracle Connected Services.
The Oracle Advanced Support Gateway is an important part of the Oracle delivery architecture
for Oracle Connected Services and its placement must be carefully considered in order
for Oracle to deliver Oracle Connected Services. This document outlines configuration
options when integrating the Oracle Advanced Support Gateway device within the customer
environment. To help explain these options, this document assumes a "simple" customer-side
network topology. However, these options can extend to more complex network topologies.
Oracle sales personnel are available to discuss the options for Oracle Advanced Support
Gateway deployment.

About the Oracle Advanced Support Gateway

The Oracle Advanced Support Gateway is a multi-purpose platform designed to facilitate a
number of Oracle connected services including Oracle Platinum Services, LifeCycle services,
Business Critical support, and Advanced Monitoring and Resolution.

The gateway platform is based on hardened Solaris and Oracle Linux operating systems and
hosts a full set of Oracle software stacks, including Automated Service Request (ASR), Oracle
Enterprise Manager (12c), Oracle Configuration Manager (OCM), patch management (such as
YUM services), and a suite of Java applications.

Together, these applications aggregate and route telemetry messages from the customer
infrastructure to the Oracle Premier Support platform. The same Oracle Advanced Support
Gateway is also used as a bastion host and provides remote access for Oracle engineers to
access the customer network (with customer permission) and to carry out approved actions
on customer hosts. In short, the Oracle Advanced Support Gateway allows simplification of
the network requirements and a single point of access for the provision and delivery of Oracle
services.

The Oracle Advanced Support Gateway and general security model used are available in the
Global Customer Support Security Practices, which are available at http://www.oracle.com/
us/support/policies/index.html.

Oracle Advanced Support Gateway Security Guide 7

General Requirements

General Requirements
There are a number of general requirements that are necessary for Oracle to deliver Oracle
Connected Services:
An Oracle Advanced Support Gateway must be provisioned into the customers
environment.
All monitored devices must be network accessible from the Oracle Advanced Support
Gateway.
The monitored devices must be dedicated to the customer.
Oracle must have the level of access to the monitored devices necessary for Oracle to
implement and deliver the service.
The Oracle Advanced Support Gateway must be continuously accessible from the Oracle
Support Platform using the secure protocols described below.

In order to expedite the implementation process, the customer might be required to provide high
level network topology which should include:
The relative location of the monitored devices in the customer environment for which the
services will be provided.
The IP numbering scheme, routing policy and intermediate firewalls between the
gateway and the monitored devices. Having this information enables Oracle to provide a
recommendation regarding Oracle Advanced Support Gateway placement.

Changes to the Security Guide Since the Last Release

This section outlines changes made to the Oracle Advanced Support Gateway Security Guide
since the last release.
Port 9001 is no longer used, and all references to it have been removed.
Port 3872 is no longer requested for OEM agent communication, and all references to it
have been removed. Users should request a single contiguous block of ports in the range
1830-1839; port 1830 is used by default.
All references to the KVM legacy device have been removed.
The destination IP address 141.146.8.206 used to reach ccr.oracle.com is no longer valid,
and all references to it have been removed. Use 141.146.54.49 instead.
The use of Oracle Advanced Support Gateway as a ZFS Phone Home proxy is currently
not supported. The following destinations have been removed from the table listing firewall
rules between the Oracle Advanced Support Gateway and the Oracle Data Center:
asr-services.oracle.com
inv-cs.oracle.com
transport.oracle.com

8 Oracle Advanced Support Gateway Security Guide June 2015

 Firewall Port Requirements

Firewall rules for ZFS to the Oracle Data Center via the Internet have been added.
Firewall rules between the Oracle Advanced Support Gateway and the customer network
over the Internet have been added.

Firewall Port Requirements

The specifics of the Oracle Connected Services network requirement depends on the customer
network topology relative to the Oracle data center, the Oracle Advanced Support Gateway, and
the monitored devices. This must be configured to permit traffic through the firewall as shown
in the diagram below.

The firewall rules must be setup to allow traffic flow in two situations:
Between the Oracle Advanced Support Gateway and Oracle data center locations. This is
referred to as the external connection.

Note - A web proxy can be used to proxy the HTTPS traffic across the external connection.
However the gateway does not support NTLM or Kerberos proxy authentication. The SSL VPN
traffic cannot be routed through a proxy server.

Between the Oracle Advanced Support Gateway and the customer's monitored devices,
through a customer-controlled firewall or other security devices. This is referred to as the
internal connection.

Note - The latest firewall port configuration is available from your implementation manager;
this should be referenced before making any firewall changes.

The diagram below depicts a high-level overview traffic flow between customer devices
and Oracle. (Detailed firewall rules and templates are provided to the customer during
implementation process.)

FIGURE 1 High Level Traffic Flow and Firewall Requirement

Oracle Advanced Support Gateway Security Guide 9

External Connection

External Connection
Oracle utilizes a combination of a VPN solution and HTTPS to secure communications between
the Oracle Advanced Support Gateway, located within the customers environment, and the
Oracle data center locations. The VPN is primarily used to secure inbound connections from
Oracle to the Oracle Advanced Support Gateway and HTTPS for all outbound connections from
the Advanced Support Gateway to Oracle.

SSL VPN and Oracle Advanced Support Gateway

The Oracle Advanced Support Gateway is configured with a software SSL-based VPN client.
The SSL VPN establishes an encrypted inbound connection between Oracle and the local
Oracle Advanced Support Gateway. The gateway is assigned a unique ID and password and
connects to one of three Oracle VPN concentrators. The SSL-based VPN has the following
features:

High encryption scheme designed to ensure traffic integrity and confidentiality. The
connection is based on TLSv1, AES256 symmetric encryption
Traffic availability through the use of active/passive cluster of devices on the Oracle side.
Any hardware or software issues on the master device failover all connections to the backup
one.
Disaster recovery processes that use multiple clusters around the world. Any connection
issue with one of the Oracle data centers failover client connections to the other data
centers.

FIGURE 2 An SSL-Based VPN Client Connection from Oracle Advanced Support Gateway to
Oracle

10 Oracle Advanced Support Gateway Security Guide June 2015

 Internal Connection

Note - The SSL 9001 VPN is the standard method for establishing the connection with Oracle.
Alternative connection methods are available on an exception, customer-by-customer basis that
is summarized below. If you wish to explore these options further, please contact your Oracle
Implementation Manager.

Alternative External Connection Option

Oracle offers an alternate method for establishing a connection using IPSec. The connection
is terminated on the customer's existing VPN hardware. This option generally requires an
extended implementation cycle and is approved on an exception basis. If the customer chooses
to use their existing VPN device (for example., firewall or VPN concentrator) as a termination
point, the VPN overall requirements described above remain the same. However, the encryption
domain in this case would be the Oracle Advanced Support Gateway addresses and the Oracle
IP subnet as described in the Network Connectivity Form. If the Oracle Advanced Support
Gateway is configured to use a private IP address block (RFC-1918), then the customer must
provide a corresponding public IP address for each address assigned to the Oracle Advanced
Support Gateway. These private addresses must be translated using one-to-one Network
Address Translation (NAT) on the customer firewall before they are routed through the tunnel.
For example, a single gateway implementation requires a NAT policy for two gateway public IP
addresses mapped to the corresponding private IP address associated to the gateway.

Internal Connection
Placing the Oracle Advanced Support Gateway in a customer's firewalled DMZ is the
recommended internal connection option. By placing the Oracle Advanced Support Gateway in
a DMZ, the customer has control of traffic traversing their internal networks.

Network Protocol and Port Matrix

The following tables are intended to provide a high-level view of the ports that are used for the
delivery of Oracle Connected Services.

Note - The final port and firewall requirements depend on the specific Engineered System being
monitored by Oracle Connected Services, the connectivity method chosen, and customer actual
network design.

Oracle Advanced Support Gateway Security Guide 11

Network Protocol and Port Matrix

External Traffic Firewall Rules Table

Note - The source for all these entries is the Advanced Support Gateway.

TABLE 1 Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle Data Center

Destination Destination IP Application Network Purpose

Address(es) Protocol Protocol/
Port
adc-ps-ssl-vpn.oracle-occn.com 198.17.210.28 SSL UDP and To establish an SSL VPN connection*
VPN TCP/443 between Oracle and the Gateway.
llg-ps-ssl-vpn.oracle-occn.com 141.146.131.124
*Cannot support communication through an
tokyo-ps-ssl-vpn.oracle-occn.com 144.24.23.68 internet proxy.
Note - Each hostname currently
resolves to two working IP 143.47.2.36
addresses. Access to both must be
permitted, as we will switch from 140.83.95.28
one to the other in the near future.
202.8.27.20
transport-adc.oracle.com 141.146.156.41 HTTPS TCP/443 Secure transport of monitoring and other
data from gateway to Oracle.
ccr.oracle.com 141.146.54.49 HTTPS TCP/443 Oracle's centralized configuration
repository that is used.
support.oracle.com 141.146.54.16 HTTPS TCP/443 My Oracle Support (MOS) access via
OEM Cloud Control UI. Used to download
patches onto the gateway from MOS.
login.oracle.com 209.17.4.8 HTTPS TCP/443 My Oracle Support (MOS) access via
Note - The hostname currently OEM Cloud Control UI. Used to download
resolves to three working IP 156.151.58.18 patches onto the gateway from MOS.
addresses. Access to both must be
permitted, as we will switch from 141.146.8.119
one to the other in the near future.
linux-update.oracle.com 137.254.56.42 HTTPS TCP/443 Unbreakable Linux Network servers. Used
to patch the gateway and to download
linux-update-adc.oracle.com 156.151.58.24 patches for customers who have patching
services.
linux-update-ucf.oracle.com
updates.oracle.com 141.146.44.51 HTTPS TCP/443 Patch downloads via OEM.

Internal Traffic Firewall Rules Tables

This section provides tables for the customer network, Exadata, Exalogic, and SuperCluster.

12 Oracle Advanced Support Gateway Security Guide June 2015

 Network Protocol and Port Matrix

TABLE 2 Firewall Rules Between the Oracle Advanced Support Gateway and the Customer Network

Source Destination Network Protocol/Port Purpose

Advanced Support Gateway Customer SMTP server TCP/25 Used to send emails from the Gateway,
primarily for the password reset functionality
in the Gateway portal.
Internal customer Customer intranet SSH/22 Custadmin access to Advanced Support
communication to Gateway.
Advanced Support Gateway
over port 22

TABLE 3 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (Exadata)

Application Source Interface(s) Destination Interface(s) Network Purpose

Protocol Protocol/Port
ICMP Bidirectional - all Monitored Bidirectional - all Monitored ICMP Type 0 Used to test bidirectional network
Interfaces Interfaces and 8 connectivity between the Gateway
and customer systems
OEM Advanced Support Gateway Database Node Mgmt TCP/1830- OEM Agent communication,
(OASG) 1839 typically 1830 is used for Oracle
DomU Connected Services
SNMP Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry
(OASG)
PDU

Cisco

Cell Node ILOM

Cell Node Mgmt

DB Node ILOM

DB Node Mgmt
ASR Advanced Support Gateway Infiniband TCP/6481 ASR for discovery and monitoring
(OASG) by service tags
Cell Node Mgmt

DB Node Mgmt

Cell Node ILOM

DB Node ILOM
HTTP Advanced Support Gateway PDU TCP/80 PDU web interface for monitoring
(OASG) configuration, and diagnostics
HTTPS Advanced Support Gateway Cell Node ILOM TCP/443 Monitoring configuration and fault
(OASG) diagnostic collection
DB Node ILOM

Infiniband
SSH Advanced Support Gateway Infiniband TCP/22 Monitoring configuration, fault
(OASG) diagnostics and patching
Cell Node Mgmt TCP/23 (Cisco
only)
DB Node Mgmt

Oracle Advanced Support Gateway Security Guide 13

Network Protocol and Port Matrix

Application Source Interface(s) Destination Interface(s) Network Purpose

Protocol Protocol/Port
Cell Node ILOM

DB Node ILOM

Cisco (might only support telnet)

SQL Advanced Support Gateway DB Node Mgmt DB listener DB listener port for discovery and
(OASG) Note - If a database is only port, default is ongoing monitoring
listening on a Client/VIP, then TCP/1521
access to this interface must also
be allowed)
RMCP+ Advanced Support Gateway Cell Node ILOM UDP/623 Management and monitoring via
(OASG) ILOM interface (IPMI)
DB Node ILOM
HTTPS DB Node Mgmt Advanced Support Gateway TCP/1159 OEM agent communication to
(OEM (OASG) OASG
Agent) DomU
SNMP Infiniband Advanced Support Gateway UDP/162 SNMP for monitoring events and/or
(OASG) network monitoring
PDU

Cisco

Cell Node ILOM

DB Node ILOM

TABLE 4 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (Exalogic)

Application Source Interface(s) Destination Interface(s) Network Purpose

Protocol Protocol/Port
ICMP Bidirectional - all Monitored Bidirectional - all Monitored ICMP Type 0 Used to test bi-directional network
Interfaces Interfaces and 8 connectivity between the Gateway
and customer systems
OEM Advanced Support Gateway Compute Node Mgmt TCP/1830- OEM Agent communication,
(OASG) 1839 typically 1830 is used for Oracle
Control VM (virtual only) Connected Services
SNMP Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry
(OASG)
PDU

Cisco

Compute Node Mgmt

Compute Node ILOM

ASR Advanced Support Gateway Compute Node Mgmt TCP/6481 ASR for discovery and monitoring
(OASG) by service tags
Compute Node ILOM

Infiniband
HTTP Advanced Support Gateway PDU TCP/80 PDU web interface for monitoring
(OASG) configuration, and diagnostics

14 Oracle Advanced Support Gateway Security Guide June 2015

 Network Protocol and Port Matrix

Application Source Interface(s) Destination Interface(s) Network Purpose

Protocol Protocol/Port
HTTPS Advanced Support Gateway Compute Node ILOM TCP/443 Monitoring configuration and fault
(OASG) diagnostic collection
Infiniband

ZFS ILOM
SSH Advanced Support Gateway Infiniband TCP/22 Monitoring configuration, fault
(OASG) diagnostics and patching
Control VM (virtual only) TCP/23 Cisco
only)
ZFS Mgmt

Compute Node Mgmt

ZFS ILOM

Compute Node ILOM

Cisco (might only support telnet)

SQL Advanced Support Gateway Control VM (Virtual only) DB listener DB listener port for discovery and
(OASG) Note - If a database is only port, default is ongoing monitoring
listening on a Client/VIP access TCP/1521
to this interface must also be
allowed.
RMCP+ Advanced Support Gateway Compute Node ILOM UDP/623 Management and monitoring using
(OASG) the ILOM interface (IPMI)
ZFS ILOM
Weblogic Advanced Support Gateway Weblogic instances TCP/7001- Monitoring install and diagnostics
(OASG) 7002 collection
HTTPS - Advanced Support Gateway ZFS Mgmt TCP/215 OEM plug-in communication to ZFS
ZFS agent (OASG) for monitoring
HTTPS Compute Node Mgmt Advanced Support Gateway TCP/1159 OEM agent communication to
(OEM agent) (OASG) OASG
Control VM (virtual only)
SNMP Infiniband Advanced Support Gateway UDP/162 SNMP for Monitoring Events
(OASG)
PDU

Cisco

Compute Node Mgmt

Compute Node ILOM

HTTP Compute Node Mgmt Advanced Support Gateway TCP/5555 Solaris Explorer uploads for
(Solaris) (OASG) automatic uploads for events
HTTPS Compute Node Mgmt Advanced Support Gateway TCP/8234 ASR Assets to communicate with
(Solaris) (OASG) ASR Manager
HTTPS ZFS Mgmt asr-services.oracle.com TCP/443 ZFS Phone Home

inv-cs.oracle.com Can also support an internet proxy

transport.oracle.com

Oracle Advanced Support Gateway Security Guide 15

Network Protocol and Port Matrix

TABLE 5 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (SuperCluster)
Application Source Interface(s) Destination Interface(s) Network Purpose
Protocol Protocol/Port
ICMP Bidirectional - all Monitored Bidirectional - all Monitored ICMP Type 0 Used to test bidirectional network
Interfaces Interfaces and 8 connectivity between the Gateway
and customer systems
OEM Advanced Support Gateway All Domains TCP/1830- OEM agent communication,
(OASG) 1839 typically 1830 is used for Oracle
Zones based on monitoring service Connected Services
SNMP Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry
(OASG)
PDU

Cisco

SPARC Server ILOMs (virtual/

floating addresses as well as
physical addresses)

Primary Domains

Cell Node Mgmt

Cell Node ILOM

ASR Advanced Support Gateway Infiniband TCP/6481 ASR for discovery and monitoring
(OASG) by service tags
SPARC Server ILOMs (virtual/
floating addresses as well as
physical addresses)

Primary Domains

Cell Node Mgmt

Cell Node ILOM

HTTP Advanced Support Gateway PDU TCP/80 PDU Web Interface for monitoring
(OASG) configuration, and diagnostics
HTTPS Advanced Support Gateway SPARC Server ILOMs (virtual/ TCP/443 Monitoring configuration and fault
(OASG) floating addresses as well as diagnostic collection
physical addresses)

Infiniband

ZFS ILOM

Cell Node ILOM

SSH Advanced Support Gateway Infiniband TCP/23 Monitoring configuration, fault
(OASG) diagnostics and patching
ZFS Mgmt TCP/22

ZFS ILOM

SPARC Server ILOMs (Virtual/

Floating addresses as well as
Physical addresses)

Cell Node ILOM

16 Oracle Advanced Support Gateway Security Guide June 2015

 Network Protocol and Port Matrix

Application Source Interface(s) Destination Interface(s) Network Purpose

Protocol Protocol/Port
Cell Node Mgmt

All Domains

Zones based on monitoring service

Cisco (Might only support telnet)

SQL Advanced Support Gateway Database domains/zones DB listener DB listener port for discovery and
(OASG) port, default is ongoing monitoring
Client/VIP TCP/1521
Note - Note: if a database is only
listening on a Client/VIP access to
this interface must also be allowed
RMCP+ Advanced Support Gateway SPARC Server ILOMs (virtual/ UDP/623 Management and monitoring using
(OASG) floating addresses as well as ILOM interface (IPMI)
physical addresses)

Cell Node ILOM

Weblogic Advanced Support Gateway Weblogic instances TCP/7001- Monitoring install and diagnostics
(OASG) 7002 collection
HTTPS All Domains Advanced Support Gateway TCP/1159 OEM agent communication to
(OEM (OASG) OASG
Agent) Zones based on monitoring
service
SNMP Primary Domains Advanced Support Gateway UDP/162 SNMP for monitoring events
(OASG)
Infiniband

PDU

Cisco

SPARC Server ILOMs

(virtual/floating addresses as
well as physical addresses)

Cell Mgmt

Cell ILOM
HTTP Primary Domains Advanced Support Gateway TCP/5555 Solaris Explorer uploads for
(OASG) automatic uploads for events
HTTPS Primary Domains Advanced Support Gateway TCP/8234 ASR Manager to communicate with
(OASG) ASR Assets
HTTPS Advanced Support Gateway SuperCluster Control Domain TCP/8000 Access to the IO Domain Creation
(OASG) Tool for Monitoring and log file
collection
HTTPS ZFS Mgmt asr-services.oracle.com TCP/443 ZFS Phone Home

inv-cs.oracle.com Can also support an internet proxy

transport.oracle.com

Oracle Advanced Support Gateway Security Guide 17

Audit Logging Feature

External Traffic Through the Encrypted VPN

Tunnel
The following is informational only, illustrating the traffic transmitted over the VPN in support
of the Advanced Support Gateway.

TABLE 6 Firewall rules between the Oracle Advanced Support Gateway and the Oracle data center using VPN
TUNNEL
Source Destination Network Protocol/Port Purpose
Oracle Remote Access Advanced Support Gateway ICMP Management traffic to remotely
Management Platform manage the gateway and also
SSH (TCP:22) facilitate remote access.
HTTP/S (TCP: 7799)

OEM (TCP: 1830,1521)

SGD/Secure AIP (TCP: 5307)

ASR (TCP:6481)

Advanced Support Gateway
Oracle Remote Access
Management Platform
BIP (TCP:9702)
ICMP Management traffic to remotely
manage the gateway and also
TLS/LDAP (TCP:636) facilitate remote access
Note - Traffic that should be
NTP (TCP/UDP:123) going to the Oracle platform
over the encrypted VPN tunnel
OEM (TCP:1159)
is destined for a range of IP
SGD/Secure AIP (TCP:5307) addresses (141.146.155.*).

Syslog (TCP:514)

Audit Logging Feature

The Audit Logging Feature of the Oracle Advanced Support Gateway (OASG) provides audit
information for three different categories of system events. The three categories are:
Outbound Network Connections: The Linux firewall service (iptables) triggers notifications
for all outbound network traffic with the exception of traffic to Oracle-managed
hosts used for monitoring and management (for example, Oracle VPN end points,
transport.oracle.com, support.oracle.com).
Outbound Login Activity: The Linux auditing service (auditd) triggers notifications for
all outbound login attempts initiated from the OASG. This is done by monitoring usage of
the ssh and telnet system binaries. The Gateway sends a message that ssh or telnet has
been used, by which user and when. The destination is not provided. auditd logs contain that
information. auditd logs are not directly accessible by the customer.

18 Oracle Advanced Support Gateway Security Guide June 2015

 Audit Logging Feature

Inbound OASG User Login Activity: The Linux auditing service (auditd) triggers
notifications each time any of the system logs used for tracking logins is updated. This
includes failed logins and successful login attempts. It also triggers a notification each
time a user logs in from a remote system. These activities are monitored using auditd and
forwarded to the customer's central logging system.

All audit notifications are delivered using standard syslog protocol. A central logging system
must be provided to accept and process these messages.

Most of these messages' format is based on auditd. They can be managed using various auditd
and related utilities.

The audit logging feature is disabled by default, and must be explicitly enabled through the
OASG command line interface (CLI). The details of how to configure this feature are explained
in the following section:

Initial Login

Note - Outbound Network Connection logging can be enabled by Oracle staff for 3.7.3 and 3.8
Gateways.

1. Use ssh to connect to the OASG as user custadmin.

2. At the first prompt enter configure terminal.
3. At the second prompt enter syslog.
You are now in the syslog-specific section of the OASG CLI where you can configure
forwarding.

Available Commands

Command Description

help To display a list of available commands.

? To display a brief explanation of how to enter commands in the CLI.
stat To display the current configuration.

This produces a display similar to the following:

------------- SyslogBroadcaster Configuration ------------

Message Forward Status = disabled
Host IP Address = 1.2.3.4
Host Port Number = 514
Host Time Zone = GMT-4
firewall Message Forward = disabled
ssh Message Forward = disabled
session Message Forward = disabled
UID/GUID Mapping = disabled

Oracle Advanced Support Gateway Security Guide 19

Audit Logging Feature

Command Description
-----------------------------------------------------------
forward enable To enable syslog forwarding.
forward disable To disable syslog forwarding.
ip < ip address > To enter the IP address of the remote syslog server (the one receiving the forwarded
messages).

You must enter a valid IP address, not a hostname.

port < port # > To change the port used for forwarding syslog messages.
timezone < value > To set the time zone used in the forwarded syslog messages.

Value must be -12 to +12 which is the offset from GMT.

mapping enable To convert the uid and guid contained in each message to the corresponding Unix user
and group name.
mapping disable

Enabling and Disabling Logging Messages

The following paragraphs show the commands to enable and disable logging messages, and
provide examples of the resulting messages.

In all of the examples below, if user mapping is enabled, all instances of uid=# and gid=# are
replaced with uid=#(username) and gid=#(groupname).

Any combination of the following three categories can be enabled or disabled.

Outbound Network Connectivity

To enable or disable this type of message forwarding:

firewall enable
firewall disable

These messages are generated by iptables and represent all outbound network traffic with the
exception of traffic to known addresses used for Oracle monitoring.

The following example shows messages as they are seen on the system that receives the
forwarded syslog messages.

Result from an nslookup command:

Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA:

ct-infraprod-01 kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn
DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF
PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=0 GID=0

Result from an ssh command:

20 Oracle Advanced Support Gateway Security Guide June 2015

 Audit Logging Feature

Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA:

ct-infraprod-01 kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn
DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF
PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=0 GID=0

Outbound Login Activity

To enable or disable this type of message forwarding:
ssh enable
ssh disable

The following example shows a message as it is seen on the system that receives the forwarded
syslog messages.

Result from an ssh command:

Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA:
ct-infraprod-01 audispd: node=ct-infraprod-01 type=SYSCALL
msg=audit(1375284134.716:172756): arch=c000003e syscall=59
success=yes exit=0 a0=26c1bb0 a1=26e09d0 a2=26c6b70 a3=18
items=2 ppid=26718 pid=30240 auid=502 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=23761 comm="ssh"
exe="/usr/bin/ssh" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="gateway_audit"

Inbound OASG User Login Activity

To enable or disable this type of message forwarding:
session enable
session disable

The following examples show messages as they are seen on the system that receives the
forwarded syslog messages.

Result from an inbound ssh connection:

Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1
NA: ct-infraprod-01 audispd: node=ct-infraprod-01 type=SYSCALL
msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes exit=0
a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2 ppid=1428
pid=12967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="SESSION"

Result from an su command:

Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1
NA: ct-infraprod-01 audispd: node=ct-infraprod-01 type=SYSCALL
msg=audit(1375393368.908:187341): arch=c000003e syscall=59 success=yes
exit=0 a0=1ea97c0 a1=1e9e650 a2=1ea98a0 a3=18 items=2 ppid=13438
pid=13485 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0

Oracle Advanced Support Gateway Security Guide 21

Audit Logging Feature

fsgid=0 tty=pts3 ses=26026 comm="su" exe="/bin/su"

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="SESSION"

22 Oracle Advanced Support Gateway Security Guide June 2015