Professional Documents
Culture Documents
Agenda
Agenda
Business-Driven IT Management
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
Oracle Management
Service
Grid Control Console
Oracle Management
Agents
10
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
11
Agenda
12
Security Consideration
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
13
Security Consideration
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
Interrupted/Stolen
Management Agent
OMS
Man-in-the-Middle attacks
Interrupts, intercepts, modifies or fabricates data in transit
14
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
OMS
Management Agent
Data Availability
Hacker
Denial-of-Service attacks
Makes Management Repository or OMS unavailable to intended users by
flooding them with more requests than they can handle
15
Security Consideration
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
Authentication
The process to verify the identity, usually username and password, claimed
by a user
16
Security Consideration
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
Segregation of duties
No person should be given responsibility for more than one related
function
Exploitation of authorization
Accesses resources (targets, jobs, templates and so on) that he/she
should not be authorized to
17
Security Consideration
Security Threat
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
Non-repudiation
Network security: Neither sender nor recipient can later deny having
processed the information
Web Application security: No one can later deny the actions he/she
has taken in the application
Repudiation
Refuses authoring of something that happened
18
19
Oracle Management
Repository
Oracle Management
Service
Management
Agent
Database
Application
Host
20
Oracle Management
Repository
Oracle Management
Service
Grid Control Console
21
Oracle Management
Repository
Oracle Management
Agent
22
Oracle Management
Repository
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
Please refer to
http://download.oracle.com/docs/cd/E12839_01/
web.1111/e13705.pdf
for more information
23
Oracle Management
Repository
Oracle Management
Agent
24
Oracle Management
Repository
Oracle Management
Service
Management
Agent
Database
Application
Host
25
Oracle Management
Repository
Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
26
Oracle Management
Repository
Management
Agent
Application
Host
27
Oracle Management
Repository
OMS:
Grid Control Console
Oracle Management
Service
TLS v1
emctlstopoms
emctlsecureomsprotocolTLSv1
Append
Dweblogic.security.SSL.protocolVe
rsion=TLS1toJAVA_OPTIONSin
Domain_Home/bin/startEMServer.sh.
emctlstartoms
Agent:
Oracle Management
Update
$Agent_Home/sysman/config/emd.properties
allowTLSonly=true
Agent
28
Oracle Management
Repository
Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
29
Oracle Management
Repository
Firewall
Service
Firewall
Management
Firewall
Agent
Application
Host
30
Oracle Management
Best Practices:
Repository
Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
31
Oracle Management
Repository
Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
32
Oracle Management
Repository
REPOSITORY_PROXYHOST=proxyhostname.domain
REPOSITORY_PROXYPORT=port
Firewall
Oracle Management
Oracle Management
Agent
Agent
33
Oracle Management
Repository
Oracle Management
Agent
34
35
Authentication
Authentication
Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma
Audit
Keeps track of the actions happened
within Enterprise Manager to prevent
repudiation
Hosts
36
Authentication
Authentication
Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma
Audit
Keeps track of the actions happened
within Enterprise Manager to prevent
repudiation
Hosts
37
OSSO
LDAP Server
Default
EUS
Oracle Management
Repository(OMR)
Repository-based authentication
(Default)
Use password profile to enforce the
password control such as password
complexity, failed login attempt,
password reuse max, password life
time, etc.
38
39
Authentication
Authentication
Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma
Audit
Keeps track of the actions happened
within Enterprise Manager to prevent
repudiation
Hosts
40
Oracle Enterprise
Manager
Enterprise Manager
Authorization
Connect to target
Jobs,Target
Templates
Reports, etc
Target
Application
Servers
Target
Authorization
Target
Databases
Target
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
Sub e Met
nag lerts
Ma
eA
na g
a
M
Target
Hosts
Target authorization
Controls the access to the resources and
functionalities within the target
CREATE new TABLE
Back-up database
Tune SQL
Enforced by target security model
Depends on the credential used to connect to the
target
41
SQLTuning DBA
Oracle Enterprise
Manager
Connect as
database user B
Connect as
database user A
Database 1
Database 2
Example:
Create new user, SQLTuningDBA, who is only
responsible for tuning 2 of 100 managed database
targets
Enterprise Manager authorization
Create EM user SQLTuningDBA
Grant VIEW Target Privilege on the 2 DB targets of
interest
Target authorization
Target credentials used should have the following
database privileges
select_any_catalog
administer sql tuning set
execute on dbms_workload_repository
Databases
42
What type of
administrator
should the
new user be?
Normal Enterprise
Manager Administrator
Has NO access to
anything unless granted
privileges
Super Administrator
Has FULL privileges on
all targets and the ability
to create Super
Administrators
43
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
Enterprise Manager
offers 10 System
Privileges (4 new in 11g
Release 1),e.g.,
Should the user be able
to VIEW any targets
Should the user be able
to ADD new targets?
44
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
What target
should the
user be able
to access?
45
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
Enterprise Manager
provides 7 Target
Privileges, e.g.,
What Target
Privilege(s)
should the
user have
What targets
should the
user be able
to access?
46
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
What Target
Privilege(s)
should the
user have
What targets
should the
user be able
to access?
47
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
Role
What Target
Privilege(s)
should the
user have
What targets
should the
user be able
to access?
Privilege Propagating
Group
48
Authorization
Databases
Application
Servers
Applications
Hosts
49
Authentication
Authentication
Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma
Audit
Keeps track of the actions happened
within Enterprise Manager to prevent
repudiation
Hosts
50
Authentication
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
Hosts
51
Authentication
emcli enable_audit
Audit
Jobs, Templates
Reports, etc
Application
Servers
Applications
Authorization
Databases
Hosts
52
53
Enterprise Manager
Enterprise Manager
Grid Control
Users
Usages of credentials:
Oracle Management
Repository
Oracle Management
Service
Credentials are stored
encrypted
Target
Authentication
Agent
Agent
Database
Solaris
Targets
Application Server
Linux
Agent
Applications
Windows
54
Enterprise Manager
Grid Control
SELECT
t.target_name,tc.user_name,tc.creden
tial_set_name
FROMMGMT_TARGET_CREDENTIALStc,
MGMT_TARGETSt
WHEREtc.target_guid=t.target_guid
Oracle Management
Repository
Preferred Credentials
UDM Collection Credentials
Job Credentials
Oracle Management
Service
Monitoring Credentials
Management Agent
Database User
Database
55
56
Best Practices
Man-in-the-Middle Attacks
Denial-of-Service Attacks
Exploitation of Authorization
Repudiation
57
Agenda
58
Security policies
Monitor EM security
Fix EM security
compliance
violations
Security at a glance
Oracle Enterprise
Manager
Oracle Management
Repository
Service
Oracle Management
Agent
Notification of violations
Oracle Management
Corrective actions
CPU Advisory
Patching automation
59
Useful Whitepapers
Oracle Database Security Best Practices
http://www.oracle.com/technetwork/database/security/twpsecurity-checklist-database-1-132870.pdf
60
Thursday, Sept. 23
Location
Moscone S. Room
102
Moscone S. Room
310
Oracle.com/enterprisemanager11g
63
Q&
A
64
Appendix
65
Oracle Management
Repository
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
Connection_rate_Listenername=n
Rate_limit in ADDRESS section of listener
endpoint configuration
Listenername=(ADDRESS=
(PROTOCOL=tcp)
(HOST=Server1)
(PORT=1521)
(RATE_LIMIT=yes))
66
Management
Agent
Database
Application
Host
67
Oracle Management
Repository
AgentissecureatHTTPSPort1838
OMSissecureonHTTPSPort4473
Database
Application
Host
68
Oracle Management
Repository
Management
Agent
Database
Application
Host
69
Oracle Management
Repository
Steps:
Management
Agent
Database
Application
Host
SQLNET.ENCRYPTION_SERVER=REQUESTED
70
Oracle Management
Repository
Agent
Grid Control Console
Oracle Management
Service
Edit
$AGENT_HOME/sysman/config/emd.prop
erties to configure the strong cipher suites
SSLCipherSuites=
SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA
_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_12
8_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SH
A
OMS:
Management
Agent
Database
Application
Host
SSLCipherSuite
SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH
_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CB
C_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SH
A
71
Oracle Management
Trusted certificates
Different expiry and key size that meet special
security rules
Steps:
Repository
Management
Agent
Database
Application
Host
72
Web-based
Grid Control
Browser
7777
7778
4443
Oracle Management
Service(OMS)
73
Management
Oracle Management
Service(OMS)
SQL*Net
Firewall
Repository
74
75
Oracle Management
Service(OMS)
Firewall
My Oracle
Support
76
Security Policies
Security at a glance
Security Violations
Notification of violations
77
Corrective Actions
Security Violations
78