Professional Documents
Culture Documents
Security Guide
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Rfrence: E40643-09
Copyright 2015, Oracle et/ou ses affilis. Tous droits rservs.
Ce logiciel et la documentation qui laccompagne sont protgs par les lois sur la proprit intellectuelle. Ils sont concds sous licence et soumis des restrictions dutilisation et
de divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, breveter, transmettre, distribuer,
exposer, excuter, publier ou afficher le logiciel, mme partiellement, sous quelque forme et par quelque procd que ce soit. Par ailleurs, il est interdit de procder toute ingnierie
inverse du logiciel, de le dsassembler ou de le dcompiler, except des fins dinteroprabilit avec des logiciels tiers ou tel que prescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans pravis. Par ailleurs, Oracle Corporation ne garantit pas quelles soient exemptes derreurs et vous
invite, le cas chant, lui en faire part par crit.
Si ce logiciel, ou la documentation qui laccompagne, est concd sous licence au Gouvernement des Etats-Unis, ou toute entit qui dlivre la licence de ce logiciel ou lutilise pour
le compte du Gouvernement des Etats-Unis, la notice suivante sapplique:
U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered
to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or
documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
Ce logiciel ou matriel a t dvelopp pour un usage gnral dans le cadre dapplications de gestion des informations. Ce logiciel ou matriel nest pas conu ni nest destin
tre utilis dans des applications risque, notamment dans des applications pouvant causer des dommages corporels. Si vous utilisez ce logiciel ou matriel dans le cadre
dapplications dangereuses, il est de votre responsabilit de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures ncessaires son utilisation dans
des conditions optimales de scurit. Oracle Corporation et ses affilis dclinent toute responsabilit quant aux dommages causs par lutilisation de ce logiciel ou matriel pour ce
type dapplications.
Oracle et Java sont des marques dposes dOracle Corporation et/ou de ses affilis. Tout autre nom mentionn peut correspondre des marques appartenant dautres propritaires
quOracle.
Intel et Intel Xeon sont des marques ou des marques dposes dIntel Corporation. Toutes les marques SPARC sont utilises sous licence et sont des marques ou des marques
dposes de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques dposes dAdvanced Micro Devices. UNIX est une
marque dpose dThe Open Group.
Ce logiciel ou matriel et la documentation qui laccompagne peuvent fournir des informations ou des liens donnant accs des contenus, des produits et des services manant de
tiers. Oracle Corporation et ses affilis dclinent toute responsabilit ou garantie expresse quant aux contenus, produits ou services manant de tiers, sauf mention contraire stipule
dans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affilis ne sauraient tre tenus pour responsables des pertes subies, des cots occasionns ou des
dommages causs par laccs des contenus, produits ou services tiers, ou leur utilisation, sauf mention contraire stipule dans un contrat entre vous et Oracle.
Accessibilit de la documentation
Pour plus dinformations sur lengagement dOracle pour laccessibilit la documentation, visitez le site Web Oracle Accessibility Program, l'adresse http://www.oracle.com/
pls/topic/lookup?ctx=acc&id=docacc.
Accs au support lectronique
Les clients Oracle qui ont souscrit un contrat de support ont accs au support lectronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/
pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous tes malentendant.
Contents
5
6 Oracle Advanced Support Gateway Security Guide June 2015
Oracle Advanced Support Gateway Security
Guide
This document outlines the requirements for deploying the Oracle Advanced Support Gateway
(OASG) into the customer environment to support the delivery of Oracle Connected Services.
The Oracle Advanced Support Gateway is an important part of the Oracle delivery architecture
for Oracle Connected Services and its placement must be carefully considered in order
for Oracle to deliver Oracle Connected Services. This document outlines configuration
options when integrating the Oracle Advanced Support Gateway device within the customer
environment. To help explain these options, this document assumes a "simple" customer-side
network topology. However, these options can extend to more complex network topologies.
Oracle sales personnel are available to discuss the options for Oracle Advanced Support
Gateway deployment.
The gateway platform is based on hardened Solaris and Oracle Linux operating systems and
hosts a full set of Oracle software stacks, including Automated Service Request (ASR), Oracle
Enterprise Manager (12c), Oracle Configuration Manager (OCM), patch management (such as
YUM services), and a suite of Java applications.
Together, these applications aggregate and route telemetry messages from the customer
infrastructure to the Oracle Premier Support platform. The same Oracle Advanced Support
Gateway is also used as a bastion host and provides remote access for Oracle engineers to
access the customer network (with customer permission) and to carry out approved actions
on customer hosts. In short, the Oracle Advanced Support Gateway allows simplification of
the network requirements and a single point of access for the provision and delivery of Oracle
services.
The Oracle Advanced Support Gateway and general security model used are available in the
Global Customer Support Security Practices, which are available at http://www.oracle.com/
us/support/policies/index.html.
General Requirements
There are a number of general requirements that are necessary for Oracle to deliver Oracle
Connected Services:
An Oracle Advanced Support Gateway must be provisioned into the customers
environment.
All monitored devices must be network accessible from the Oracle Advanced Support
Gateway.
The monitored devices must be dedicated to the customer.
Oracle must have the level of access to the monitored devices necessary for Oracle to
implement and deliver the service.
The Oracle Advanced Support Gateway must be continuously accessible from the Oracle
Support Platform using the secure protocols described below.
In order to expedite the implementation process, the customer might be required to provide high
level network topology which should include:
The relative location of the monitored devices in the customer environment for which the
services will be provided.
The IP numbering scheme, routing policy and intermediate firewalls between the
gateway and the monitored devices. Having this information enables Oracle to provide a
recommendation regarding Oracle Advanced Support Gateway placement.
Firewall rules for ZFS to the Oracle Data Center via the Internet have been added.
Firewall rules between the Oracle Advanced Support Gateway and the customer network
over the Internet have been added.
The firewall rules must be setup to allow traffic flow in two situations:
Between the Oracle Advanced Support Gateway and Oracle data center locations. This is
referred to as the external connection.
Note - A web proxy can be used to proxy the HTTPS traffic across the external connection.
However the gateway does not support NTLM or Kerberos proxy authentication. The SSL VPN
traffic cannot be routed through a proxy server.
Between the Oracle Advanced Support Gateway and the customer's monitored devices,
through a customer-controlled firewall or other security devices. This is referred to as the
internal connection.
Note - The latest firewall port configuration is available from your implementation manager;
this should be referenced before making any firewall changes.
The diagram below depicts a high-level overview traffic flow between customer devices
and Oracle. (Detailed firewall rules and templates are provided to the customer during
implementation process.)
External Connection
Oracle utilizes a combination of a VPN solution and HTTPS to secure communications between
the Oracle Advanced Support Gateway, located within the customers environment, and the
Oracle data center locations. The VPN is primarily used to secure inbound connections from
Oracle to the Oracle Advanced Support Gateway and HTTPS for all outbound connections from
the Advanced Support Gateway to Oracle.
High encryption scheme designed to ensure traffic integrity and confidentiality. The
connection is based on TLSv1, AES256 symmetric encryption
Traffic availability through the use of active/passive cluster of devices on the Oracle side.
Any hardware or software issues on the master device failover all connections to the backup
one.
Disaster recovery processes that use multiple clusters around the world. Any connection
issue with one of the Oracle data centers failover client connections to the other data
centers.
FIGURE 2 An SSL-Based VPN Client Connection from Oracle Advanced Support Gateway to
Oracle
Note - The SSL 9001 VPN is the standard method for establishing the connection with Oracle.
Alternative connection methods are available on an exception, customer-by-customer basis that
is summarized below. If you wish to explore these options further, please contact your Oracle
Implementation Manager.
Internal Connection
Placing the Oracle Advanced Support Gateway in a customer's firewalled DMZ is the
recommended internal connection option. By placing the Oracle Advanced Support Gateway in
a DMZ, the customer has control of traffic traversing their internal networks.
Note - The final port and firewall requirements depend on the specific Engineered System being
monitored by Oracle Connected Services, the connectivity method chosen, and customer actual
network design.
Note - The source for all these entries is the Advanced Support Gateway.
TABLE 1 Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle Data Center
TABLE 2 Firewall Rules Between the Oracle Advanced Support Gateway and the Customer Network
TABLE 3 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (Exadata)
Cisco
DB Node ILOM
DB Node Mgmt
ASR Advanced Support Gateway Infiniband TCP/6481 ASR for discovery and monitoring
(OASG) by service tags
Cell Node Mgmt
DB Node Mgmt
DB Node ILOM
HTTP Advanced Support Gateway PDU TCP/80 PDU web interface for monitoring
(OASG) configuration, and diagnostics
HTTPS Advanced Support Gateway Cell Node ILOM TCP/443 Monitoring configuration and fault
(OASG) diagnostic collection
DB Node ILOM
Infiniband
SSH Advanced Support Gateway Infiniband TCP/22 Monitoring configuration, fault
(OASG) diagnostics and patching
Cell Node Mgmt TCP/23 (Cisco
only)
DB Node Mgmt
DB Node ILOM
Cisco
DB Node ILOM
TABLE 4 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (Exalogic)
Cisco
Infiniband
HTTP Advanced Support Gateway PDU TCP/80 PDU web interface for monitoring
(OASG) configuration, and diagnostics
ZFS ILOM
SSH Advanced Support Gateway Infiniband TCP/22 Monitoring configuration, fault
(OASG) diagnostics and patching
Control VM (virtual only) TCP/23 Cisco
only)
ZFS Mgmt
ZFS ILOM
Cisco
transport.oracle.com
TABLE 5 Firewall Rules Between the Oracle Advanced Support Gateway and the Engineered System (SuperCluster)
Application Source Interface(s) Destination Interface(s) Network Purpose
Protocol Protocol/Port
ICMP Bidirectional - all Monitored Bidirectional - all Monitored ICMP Type 0 Used to test bidirectional network
Interfaces Interfaces and 8 connectivity between the Gateway
and customer systems
OEM Advanced Support Gateway All Domains TCP/1830- OEM agent communication,
(OASG) 1839 typically 1830 is used for Oracle
Zones based on monitoring service Connected Services
SNMP Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry
(OASG)
PDU
Cisco
Primary Domains
Primary Domains
Infiniband
ZFS ILOM
ZFS ILOM
All Domains
PDU
Cisco
Cell Mgmt
Cell ILOM
HTTP Primary Domains Advanced Support Gateway TCP/5555 Solaris Explorer uploads for
(OASG) automatic uploads for events
HTTPS Primary Domains Advanced Support Gateway TCP/8234 ASR Manager to communicate with
(OASG) ASR Assets
HTTPS Advanced Support Gateway SuperCluster Control Domain TCP/8000 Access to the IO Domain Creation
(OASG) Tool for Monitoring and log file
collection
HTTPS ZFS Mgmt asr-services.oracle.com TCP/443 ZFS Phone Home
transport.oracle.com
TABLE 6 Firewall rules between the Oracle Advanced Support Gateway and the Oracle data center using VPN
TUNNEL
Source Destination Network Protocol/Port Purpose
Oracle Remote Access Advanced Support Gateway ICMP Management traffic to remotely
Management Platform manage the gateway and also
SSH (TCP:22) facilitate remote access.
HTTP/S (TCP: 7799)
ASR (TCP:6481)
BIP (TCP:9702)
Advanced Support Gateway Oracle Remote Access ICMP Management traffic to remotely
Management Platform manage the gateway and also
TLS/LDAP (TCP:636) facilitate remote access
Note - Traffic that should be
NTP (TCP/UDP:123) going to the Oracle platform
over the encrypted VPN tunnel
OEM (TCP:1159)
is destined for a range of IP
SGD/Secure AIP (TCP:5307) addresses (141.146.155.*).
Syslog (TCP:514)
Inbound OASG User Login Activity: The Linux auditing service (auditd) triggers
notifications each time any of the system logs used for tracking logins is updated. This
includes failed logins and successful login attempts. It also triggers a notification each
time a user logs in from a remote system. These activities are monitored using auditd and
forwarded to the customer's central logging system.
All audit notifications are delivered using standard syslog protocol. A central logging system
must be provided to accept and process these messages.
Most of these messages' format is based on auditd. They can be managed using various auditd
and related utilities.
The audit logging feature is disabled by default, and must be explicitly enabled through the
OASG command line interface (CLI). The details of how to configure this feature are explained
in the following section:
Initial Login
Note - Outbound Network Connection logging can be enabled by Oracle staff for 3.7.3 and 3.8
Gateways.
Available Commands
Command Description
Command Description
-----------------------------------------------------------
forward enable To enable syslog forwarding.
forward disable To disable syslog forwarding.
ip < ip address > To enter the IP address of the remote syslog server (the one receiving the forwarded
messages).
In all of the examples below, if user mapping is enabled, all instances of uid=# and gid=# are
replaced with uid=#(username) and gid=#(groupname).
These messages are generated by iptables and represent all outbound network traffic with the
exception of traffic to known addresses used for Oracle monitoring.
The following example shows messages as they are seen on the system that receives the
forwarded syslog messages.
The following example shows a message as it is seen on the system that receives the forwarded
syslog messages.
The following examples show messages as they are seen on the system that receives the
forwarded syslog messages.