OEM Security Best Practices

1
<Insert Picture Here>
Oracle Enterprise Manager Security Best Practices

Huaqing Wang, Senior Product Manager, Oracle
Ravi Pinnamaneni, Consulting Member of Technical Staff, Oracle
The following is intended to outline our general

product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracles
products remains at the sole discretion of Oracle.
Agenda
Oracle Enterprise Manager Overview

Security Best Practices
Managing Enterprise Manager Security
using Enterprise Manager
Q&A
Appendix
Agenda

Q&A
Appendix
Business-Driven IT Management
2010 Oracle Corporation
Enterprise Manager Security Certification

Common Criteria EAL 4+
Enterprise Manager security feature

development process rigorously
vetted and certified by independent
government agency
Certified with Common Criteria
Evaluation Assurance Level (EAL) 4+
with ID# BSI-DSZ-CC-0621-2010 on
Aug., 27, 2010
Comprehensive evaluation process
took 2+ years to complete
EAL4+ is highest mutually recognized
level among governments worldwide
Oracle Enterprise Manager Architecture Overview

Oracle Management
Repository
Oracle Management
Service
Grid Control Console
Oracle Management
Agent
Oracle Management Agent (Management Agent)

An integral software component deployed on each monitored host
Responsible for monitoring and managing the hosts and all the targets running on those
hosts, communicating the information (metrics, configurations,etc.) to Oracle Management
Service (OMS)

Oracle Management
Repository
Oracle Management
Service
Oracle Management
Agent
Oracle Management Service (OMS)

J2EE Web application that orchestrates with Oracle Management Agents to discover targets,
monitor and manage them, and upload the collected information to Oracle Management
Repository for future reference and analysis
Renders the user interface for the Grid Control Console

Oracle Management
Repository
Oracle Management
Service
Oracle Management
Agents
Oracle Management Repository (Management Repository)

An Oracle database where all the information (metrics, configurations, etc.)
collected by the Oracle Management Agents gets stored
10

Oracle Management
Repository
Oracle Management
Service
Oracle Management
Agent

A web user interface from where you can monitor and administer your entire
computing environment
11
Agenda

Q&A
Appendix
12
Enterprise Security Considerations and Threats
Security Consideration
Security Threat
Data confidentiality and integrity
Man-in-the-Middle attacks
Data availability
Denial-of-Service attacks
Authentication
Password crack attacks
Segregation of duties
Exploitation of authorization
Non-repudiation
Repudiation
13
Security Threat
Data availability
Authentication
Non-repudiation
Repudiation
Interrupted/Stolen
Management Agent
OMS

Not disclosed to any entities unless they are authorized to access
Not changed, destroyed, or lost in unauthorized or accidental manner
Interrupts, intercepts, modifies or fabricates data in transit
14

Security Threat
Data availability
Authentication
Non-repudiation
Repudiation
OMS
Management Agent
Data Availability
Hacker
Available and usable upon demand by an authorized entity
Makes Management Repository or OMS unavailable to intended users by
flooding them with more requests than they can handle
15
Security Threat
Data availability
Authentication
Non-repudiation
Repudiation
Authentication
The process to verify the identity, usually username and password, claimed
by a user

Obtains password from an authentication exchange, then uses the password
to log on to Enterprise Manager Grid Control
For examples: guess, dictionary and brute force attacks
16
Security Threat
Data availability
Authentication
Non-repudiation
Repudiation
No person should be given responsibility for more than one related
function
Accesses resources (targets, jobs, templates and so on) that he/she
should not be authorized to
17
Security Threat
Data availability
Authentication
Non-repudiation
Repudiation
Non-repudiation
Network security: Neither sender nor recipient can later deny having
processed the information
Web Application security: No one can later deny the actions he/she
has taken in the application
Repudiation
Refuses authoring of something that happened
18
Oracle Enterprise Manager Security Overview
1. Enterprise Manager Infrastructure

Security
2. Authentication, Authorization and
Audit The Three As
3. Security of target authentications
19
Enterprise Manager Infrastructure Security
Oracle Management
Repository
Oracle Management
Service
Enterprise Manager Infrastructure

Security
Securing individual Enterprise Manager
components
Securing communication
Management
Agent
Database
Application
Host
20
Infrastructure Security Best Practices

Securing Enterprise Manager Components
Harden the machines on which OMS and
Management Repository reside
Remove unsecure services such as FTP, telnet,
rlogin and so on
Close UDP and TCP ports for services that are
disabled
Oracle Management
Repository
Oracle Management
Service
Apply all security patches

Always apply latest relevant CPUs for OS, Oracle
Database, Oracle Weblogic Server, OMS and
Agents
Use privilege delegation tool such as

sudo/Powerbroker for the access to the owner
of OMR, OMS and Agent Oracle Homes
Oracle Management
Agent
Disable owner account , oracle, direct log in to

hosts
Allow normal users to perform administrative tasks
without disclosing password of privileged user
21

Oracle Management Repository
Follow best practices for securing the Oracle
Database (e.g. Oracle Database Security
Checklist)
Oracle Management
Restrict operation system access
Repository
Limiting the number of OS users with access on Oracle

Database host
Restricting the ability for these users to modify the
default file/directory permissions of Oracle Home
Oracle Management
Service
Oracle Management
Agent
Restrict network access to the Repository

Check Network IP Address to allow the access to
Oracle Database only from authorized nodes
Configure $TNS_ADMIN/protocol.ora file
tcp.validnode_checking=yes
tcp.included_nodes={listofIP
addresses}
If Repository is the only database on the host, we
can limit the nodes to OMS nodes only
Please refer to the link for more information

http://www.oracle.com/technetwork/database/security/
twp-security-checklist-database-1-132870.pdf
22

Oracle Management Service
Follow best practices for securing Oracle
Weblogic Server (Securing the Production
Environment for Oracle Weblogic Server)
Oracle Management
Repository
Oracle Management
Service
Protect WebLogic Server Home directory

especially domain directory which contains
configuration files, security files, log files and
other Java EE resources for the Weblogic
domain.
Grant only one OS user who runs Weblogic Server
the access privilege to the directory
Create no fewer than two user accounts with

system administrator privileges
Oracle Management
Agent
To ensure one user maintains account access in

case another user becomes locked out by a
dictionary/brute force attack
Please refer to
http://download.oracle.com/docs/cd/E12839_01/
web.1111/e13705.pdf
for more information
23

Oracle Management Agent
Deploy agent via pushing agents

from OMS
Oracle Management
Repository
Secure Shell (SSH) protocol is used

in this approach, which ensures the
confidentiality and integrity of agent
installation
Oracle Management
Service
Oracle Management
Agent
Use complex one-time registration

passwords with reasonable expiry
date
Registration password combined with
random keys generated by OMS and
agent is used to produce agent key to
register and secure the agent
Protect against the possibility of
unauthorized agents accessing OMS
24
Oracle Management
Repository
Oracle Management
Service
Enterprise Manager Infrastructure

Security
Securing individual Enterprise Manager
components
Management
Agent
Database
Application
Host
25

Securing Communication Overview
Oracle Management
Repository
Various communications within

Enterprise Manager
Firewall
Oracle Management
Service
Firewall
Management
Communications in firewall environments
Firewall
Agent
Database
Between OMS and agent (Bidirectional)

Between browsers and OMS
Between OMS and Management
Repository
Between OMS and targets
Application
Host
26

Securing Communication Between OMS and Agents
Securing communication between OMS

and Agents (Bidirectional)
Oracle Management
Repository

Oracle Management
Service
It is secure locked out-of-box (10.2.0.5 and

after), which means the communication is
only over HTTPS
Security aspects of communication over
HTTPS
What secure protocol is used
Secure Socket Layer (SSL) v3
Transportation Layer Security (TLS) v1
Management
Agent
What strong cipher suites are used

Is certificate from well-known Certificate
Authority (CA)
Database
Application
Host
27

Enable TLS v1 only for communication

between OMS and Management Agents
Oracle Management
Repository
OMS:
Oracle Management
Service
TLS v1
emctlstopoms
emctlsecureomsprotocolTLSv1
Append
Dweblogic.security.SSL.protocolVe
rsion=TLS1toJAVA_OPTIONSin
Domain_Home/bin/startEMServer.sh.
emctlstartoms
Agent:
Oracle Management
Update
$Agent_Home/sysman/config/emd.properties
allowTLSonly=true
Agent
28

Securing Communication Overview
Oracle Management
Repository
Various communications within

Enterprise Manager
Firewall
Oracle Management
Service
Firewall
Management
Communications in firewall environments
Firewall
Agent
Database
Between OMS and agent (Bidirectional)

Between browsers and OMS
Between OMS and Management
Repository
Between OMS and targets
Application
Host
29

Configuring Enterprise Manager for Firewalls
Firewalls are commonplace in most
mature and modern IT infrastructures
Oracle Management
Repository
Firewall
Two areas where Enterprise Manager

and firewalls will interact
Oracle Management
Navigate between Enterprise Manager

components separated by firewalls
Communicate with managed targets that
are behind firewalls
Service
Firewall
Management
Firewall
Agent
Enterprise Manager is designed to cope

with both cases but.
Database
Application
Host
this is one of the least understood

areas when deploying Enterprise
Manager in a secure environment
30

Configure Enterprise Manager for Firewalls
Oracle Management
Best Practices:
Repository
Get firewalls into first design of the solution

Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
Carefully analyze your protocol requirements

between Enterprise Manager and the Managed
Targets in your environment, e.g.,
HTTP/HTTPS for communication between
OMS and Agents
SQL*Net for the communication between
OMS and Oracle Database targets
ICPM and UDP for the communication
between beacons and managed targets
Consider placement of OMSs when laying down
your Enterprise Manager topology
Work closely with the network team on design

of groups and Access Control List (ACL) for
groups of targets
31

Configuring Enterprise Manager for Firewalls
Lots of different permutations with
Enterprise Manager when dealing
with Firewalls.
Oracle Management
Repository
Firewall
Oracle Management
Service
Firewall
Management
Firewall
Agent
Database
Application
Host
Configuring agents on a host protected

by a firewall
Configuring OMS on a host protected
by a firewall
Firewalls between OMS and OMR
Firewall between your browser and
Grid Grid Control
Firewalls between the Grid Control and
a managed database target
Firewalls used with multiple OMS

Lets take a tour through some of

these
32

Configure Oracle Management Agent on a
host protected by a firewall
Oracle Management
Configure Oracle Management Agent to use

proxy server for its upload to OMS
Repository
Update the following parameters in file

$AGENT_HOME/sysman/config/emd.properties

Oracle Management
Service
REPOSITORY_PROXYHOST=proxyhostname.domain
REPOSITORY_PROXYPORT=port
If authentication is required, edit the following

parameters as well
REPOSITORY_PROXYREALM=realm
REPOSITORY_PROXYUSER=proxyuser
REPOSITORY_PROXYPWD=proxypassword
Firewall
Oracle Management
Oracle Management
Agent
Agent
Configure firewall to allow inbound

communication from OMS to Agent
Port 3872 (default)
Port range1830-1849 (non-default)
33

Configure Oracle Management Service on a
host protected by a firewall
Configure OMS to use proxy server for its
communication to agents outside the firewall
Oracle Management
Repository

Oracle Management
Service
Firewall
Update the following OMS properties via emctl

set property command:
emctl set property name <property> -value
<value>
PROXYHOST=proxyhostname.domain
PROXYPORT=port
If there are some agents on the hosts that are

inside the firewall, set dontProxyfor property for
these hosts
dontPROXYFor=hostname1,hostname2
Oracle Management
Agent
Configure firewall to allow inbound

communication from Agents to OMS
Default HTTP/HTTPS Ports: 4889/1159
Non-default port range 4890-4897/4898-4908
34

Security
Audit The Three As
35
Authentication, Authorization and Auditing

The Three As
Authentication
Authentication
Oracle Enterprise Manager
Determines whether someone is in fact

who it is declared to be while accessing
Enterprise Manager Grid Control
Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma
Provides access control to secure

resources and functionalities within
Enterprise Manager such as targets,
jobs, templates, reports, etc.
Audit
Keeps track of the actions happened
within Enterprise Manager to prevent
repudiation
Hosts
36

The Three As
Authentication
Authentication

Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma

Audit
repudiation
Hosts
37
The Three As Best Practices

Authentication
OSSO
LDAP Server
Default
EUS
Oracle Management
Repository(OMR)
Repository-based authentication
(Default)
Use password profile to enforce the
password control such as password
complexity, failed login attempt,
password reuse max, password life
time, etc.
Leverage Grid Control user

authentication to Oracle Single Signon (OSSO) or Enterprise User
Security (EUS)
Simplify the identity management
across the enterprise
Both SSO and EUS enable your users
to authenticate to Grid Control by using
their credentials stored in LDAP server
38

Authentication
Disable SYSMAN logging into Grid Control console by issuing
the following SQL statement on Repository
UPDATEMGMT_CREATED_USERS
SETSYSTEM_USER=1
WHEREuser_name=SYSMAN
If you want to enable SYSMAN logging into Grid Control

Console later on:
UPDATEMGMT_CREATED_USERS
SETSYSTEM_USER=1
WHEREuser_name=SYSMAN
Change password for both SYSMAN and MGMT_VIEW on a

regular basis
Prevent password crack attacks
emctlconfigomschange_repos_pwdchange_in_db
emctlconfigomschange_view_user_pwd
39

The Three As
Authentication
Authentication

Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma

Audit
repudiation
Hosts
40

Authorization Overview
Oracle Enterprise
Manager
Enterprise Manager
Authorization
Connect to target
Jobs,Target
Templates
Reports, etc
Target
Application
Servers
Target
Authorization
Target
Databases
Target
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
Sub e Met
nag lerts
Ma
eA
na g
a
M
Target
Hosts
Two-step authorization process enables finegrained access and segregation of duties:

Enterprise Manager authorization
Controls the access to the resources and
functionalities within Enterprise Manager
Manage target metrics thresholds
Set alert notification rules
Enable/disable Enterprise Manager packs
Target authorization
Controls the access to the resources and
functionalities within the target
CREATE new TABLE
Back-up database
Tune SQL
Enforced by target security model
Depends on the credential used to connect to the
target
41

Authorization Overview
SQLTuning DBA
Oracle Enterprise
Manager
Connect as
database user B
Connect as
database user A
Database 1
Database 2
Example:
Create new user, SQLTuningDBA, who is only
responsible for tuning 2 of 100 managed database
targets
Enterprise Manager authorization
Create EM user SQLTuningDBA
Grant VIEW Target Privilege on the 2 DB targets of
interest
Target authorization
Target credentials used should have the following
database privileges
select_any_catalog
administer sql tuning set
execute on dbms_workload_repository
Databases
42

Enterprise Manager Authorization Overview
What type of
administrator
should the
new user be?
Normal Enterprise
Manager Administrator
Has NO access to
anything unless granted
privileges
Super Administrator
Has FULL privileges on
all targets and the ability
to create Super
Administrators
43

Normal Enterprise Manager Administrator
Has NO access to anything unless granted

privileges
Super Administrator
Has FULL privileges on all targets and the

ability to create Super Administrators
What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
Enterprise Manager
offers 10 System
Privileges (4 new in 11g
Release 1),e.g.,
Should the user be able
to VIEW any targets
to ADD new targets?
44


privileges
Super Administrator

What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?
Should the user only be

able to monitor the
databases of his own
department?
What target
should the
user be able
to access?
Enterprise Manager offers 10 System

Privileges (4 new in 11g Release 1),e.g.,
Should the user be able to VIEW any

targets
Should the user be able to ADD new

targets?
45


privileges
Super Administrator

What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?

Should the user be able to VIEW

any targets

targets?
Enterprise Manager
provides 7 Target
Privileges, e.g.,
What Target
Privilege(s)
should the
user have

to blackout target 1, 2
and 3?
to change metric
threshold setting for
target 4, 5 and 6?
Whether the user is able

to tune performance of
target 1 depends on the
credential he uses to
connect to target 1
What targets
should the
user be able
to access?
Should the user only be able to monitor the

databases of his own department?
46


privileges
Super Administrator

What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?


any targets

targets?
If groups of targets are

always monitored and
managed in the same
way, do we have to grant
the privileges on these
individual targets to the
user?
Privilege Propagating
Group Privileges
granted on the group
automatically granted on
its members
Group
Enterprise Manager provides 7 Target Privileges,

e.g.,
Should the user be able to blackout target

1, 2 and 3?
Should the user be able to change metric

threshold setting for target 4, 5 and 6?
Whether the user is able to tune performance of
target 1 depends on the credential he uses to
connect to target 1
What Target
Privilege(s)
should the
user have
What targets
should the
user be able
to access?

47


privileges
Super Administrator

What type of
administrator
should the
new user be?
What System
Privilege(s)
should the
user have?


any targets

targets?
Enterprise Manager provides 7 Target Privileges,

e.g.,
Should the user be able to blackout target

1, 2 and 3?
Should the user be able to change metric

threshold setting for target 4, 5 and 6?
Whether the user is able to tune performance of
target 1 depends on the credential he uses to
connect to target 1
Role
If there are a set of users

sharing the same
responsibilities, do we
have to grant all the
individual privileges one
by one to these users?
Role -- Set of privileges
What Target
Privilege(s)
should the
user have
What targets
should the
user be able
to access?
If groups of targets are always monitored and

managed in the same way, do we have to grant
the privileges on these individual targets to the
user?
Privilege Propagating Group Privileges granted
on the group automatically granted on its
members
Group

48

Enterprise Manager Authorization
Reduce the number of Super Administrators

Super Administrators have FULL privilege on all

targets and could create additional Super
Administrators
Grant only the minimum set of privileges

Follow the principle of least privilege to grant only
the minimum set of privileges to the users to fulfill
his responsibility
Authorization
Achieve segregation of duties and simplify

authorization management
Grant roles instead of individual privileges to users
Use roles along with Privilege Propagating groups
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
Monitor privilege/role operations through

Enterprise Manager Auditing
Hosts
49

The Three As
Authentication
Authentication

Authorization
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Application
Servers
Applications
rts
epo gets
R
w
ar
Vie
ut T
o
k
c
s
Bla it Job
m
rics
b
Su
Met
e
ag
rts
Man e Ale
na g
Ma

Audit
repudiation
Hosts
50

Audit
Authentication
Audit
Authorization
Jobs, Templates
Reports, etc
Databases
Extended actions audited by Enterprise

Manager 61 actions (33 new actions in 11g
Release 1)
Built-in externalization service to purge audit

data from Repository and export to external
file system automatically
emcliupdate_audit_setting
file_prefix=<file_prefix>
directory_name=<directory_name>
file_size=<filesize>
data_retention_period=<periodin
days>
Application
Servers
Applications
Hosts
For example, User login/logoff, and privilege

granting/revoking, changes on monitoring
template, changes on user defined policies,
and database target start/stop/restart
GUI interface to view and search audit data
Setup ->Management Service and Repository

-> Audit Data
51
TheThree As Best Practices

Audit
Authentication
emcli enable_audit
Audit
Jobs, Templates
Reports, etc
Application
Servers
Applications
If you only care about a subset of actions,

you can just enable the auditing for them
emcli update_audit_settings
audit_switch=ENABLE
operations_to_enable=LOGIN;LOGOUT
Authorization
Databases
Enable Audit for EM Operations
Hosts
Configure the externalization service to

purge the audit data from the Repository to
an external file system on a regular basis.
emcli update_audit_setting
-directory="EM_DIR"
-file_prefix="emgc_audit"
-file_size="1000000"
-data_retention_period="60
52

Security
Audit The Three As
53
Security of Target Authentication

Credential System
Credentials
Credentials are typically username and
password required to access targets such
as databases, hosts, etc.
Stored encrypted in Repository or Agent
Enterprise Manager
Enterprise Manager
Grid Control
Users
Usages of credentials:
Oracle Management
Repository
Oracle Management
Service
Credentials are stored
encrypted
Target
Authentication
Agent
Agent
Database
Solaris
Targets
Application Server
Linux
Agent
Applications
Windows
Collect metrics in the background as well as

in real-time
Perform jobs like Backup, Patching, Cloning,
etc.
Real-time target administration like start,
stop,etc.
Connect to My Oracle Support for patches
Preferred credentials per user basis

Default credential per target type
Target credential per target
Target credential overrides default credential
54
Target Authentication Best Practices

Credential System
Do not set preferred credentials for
group/common accounts, e.g., SYSMAN. The
following SQL statement gives you the result
of preferred credential setting:
Enterprise Manager
Grid Control
SELECT
t.target_name,tc.user_name,tc.creden
tial_set_name
FROMMGMT_TARGET_CREDENTIALStc,
MGMT_TARGETSt
WHEREtc.target_guid=t.target_guid
Oracle Management
Repository
Preferred Credentials
UDM Collection Credentials
Job Credentials
Oracle Management
Service
Monitoring Credentials
Management Agent
Database User
Database
Keep track of the operations on credential by

enabling auditing the corresponding actions
Use emcli verbs to synchronize credentials
between Enterprise Manager and its database
targets
emcliupdate_db_password
user_name=DBUserName
change_at_target=yes
55
Target Authentication Best Practices

Host Target Authentication
Configure Pluggable Authentication Module(PAM) to take advantage of rich

authentication approaches to Host access
Kerberos, RADIUS and LDAP supported to take advantage of the centralized identity
storage and management
WebIV 422073.1: How to configure Agent with PAM to support LDAP authentication
Privilege Delegation (sudo/PowerBroker) supported across Enterprise Manager

Enable users to perform administrative tasks without providing credentials for
functional accounts
56
Threats vs. Best Practices

Security Threats
Best Practices
Man-in-the-Middle Attacks
Securing the communication

Enable TLS v1 protocol
Configure firewalls
Denial-of-Service Attacks
Secure individual Enterprise Manager

components
Exploitation of Authorization
Principle of least privileges

Auditing the authorization actions
Password crack Attacks
Change password on a regular basis

Enable password profile to enforce
password control
Repudiation
Enable auditing for Grid Control actions
57
Agenda

Q&A
Appendix
58

Manage its Own Security
Monitor its own security compliance
Security policies
Monitor EM security
Fix EM security
compliance
violations
Security at a glance
Oracle Enterprise
Manager
Oracle Management
Repository
Service
Oracle Management
Agent
Provides an overview of the security health

of the enterprise for all targets or specific
groups
Notification of violations
Oracle Management
Define the desired behaviors of systems in

terms of security
Email, Page, SNMP Traps, etc.
Fix its own security violations
Corrective actions
CPU Advisory
Patching automation
Connects to MOS to discover and pull in

new patches
Rapidly deploys security patches
59
Useful Whitepapers
Oracle Database Security Best Practices
http://www.oracle.com/technetwork/database/security/twpsecurity-checklist-database-1-132870.pdf
Oracle Weblogic Server Security Best Practices

http://download.oracle.com/docs/cd/E12839_01/web.1111/e
13705.pdf
Oracle Enterprise Manager Security Deployment

Best Practices
http://www.oracle.com/technetwork/oem/grid-control/twpsecurity-best-practices-133704.pdf
60
Additional Oracle Enterprise Manager Sessions
Thursday, Sept. 23
Location
3:00 p.m - The X-Files: Managing the Oracle Exadata and

Highly Available Oracle Databases
Moscone S. Room
102
3:00 p.m. - Monitoring and Diagnosing Oracle RAC

Performance with Oracle Enterprise Manager
Moscone S. Room
310
Oracle Enterprise Manager 11g

Resource Center
Access Videos, Webcasts, White Papers, and More
Oracle.com/enterprisemanager11g
63
Q&
A
64
Appendix
65

Oracle Management Repository
Secure the Oracle Listener to defend Denialof-Service (DoS) attacks
Oracle Management
Enable Connection Rate Limiter feature

Configure
$TNS_ADMIN/admin/listener.ora
Repository
Oracle Management
Service
Oracle Management
Agent
Connection_rate_Listenername=n
Rate_limit in ADDRESS section of listener
endpoint configuration
Listenername=(ADDRESS=
(PROTOCOL=tcp)
(HOST=Server1)
(PORT=1521)
(RATE_LIMIT=yes))
Please refer to the link for more information

http://www.oracle.com/technetwork/database/en
terprise-edition/oraclenetservices-connection
ratelim-133050.pdf
66

Secure communication
Secure lock OMS
Oracle Management
Repository

Oracle Management
Service
Management
Agent
Database
Application
Host
Enforces the communication with OMS only

over SSL/TLS
By default OMS is secure locked(10.2.0.5 and
after)
If your instance is upgraded from previous
version that is not secure locked, please issue
the following command
emctlsecurelock
And the following command can tell you if your
OMS is secure locked or not
emctlstatusomsdetails
HTTPConsolePort:7802
HTTPSConsolePort:5416
HTTPUploadPort:7654
HTTPSUploadPort:4473
AgentUploadislocked.
OMSConsoleislocked.
ActiveCAID:1
67

Oracle Management
Repository
Secure the agent

Oracle Management
Service
emctl status agent secure
AgentissecureatHTTPSPort1838
OMSissecureonHTTPSPort4473
emctl secure agent

Management
Agent
Database
Application
Host
68

Oracle Management
Securing communication between OMS

and Repository by enabling network
security feature of Advanced Security
Option (ASO)
Repository

Oracle Management
Service
Management
Agent
Database
Application
ASO is a DB option that combines network

encryption, database encryption and strong
authentication together to help customers
address privacy and compliance
requirements
Ensures that the data between OMS and
Repository is secure from both
confidentiality and integrity standpoints
Host
69

Securing communication between OMS and
Repository by enabling network security
feature of Advanced Security Option (ASO)
Oracle Management
Repository
Steps:

Oracle Management
Service
Set the following OMS configuration parameters

with the appropriate values by issuing the following
command:
emctl set property name <property_name>
-value <value>
oracle.sysman.emRep.dbConn.enableEncryp
tion=true
oracle.net.encryption_client=REQUESTED
oracle.net.encryption_types_client={DES
40C}
oracle.net.crypto_checksum_client=REQUE
STED
oracle.net.crypto_checksum_types_client
={MD5}
Management
Agent
Database
Application
Host
Add the following to Repositorys

$TNS_ADMIN/sqlnet.ora
SQLNET.ENCRYPTION_SERVER=REQUESTED
70

Enable the strong cipher suites for the
communication between Enterprise
Manager components
Oracle Management
Repository
Agent
Oracle Management
Service
Edit
$AGENT_HOME/sysman/config/emd.prop
erties to configure the strong cipher suites
SSLCipherSuites=
SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA
_WITH_RC4_128_SHA:SSL_RSA_WITH_AES_12
8_CBC_SHA:SSL_RSA_WITH_AES_256_CBC_SH
A
OMS:
Management
Update the following parameter in

$INSTANCE_HOME/WebTierIH1/config/O
HS/ohs1/httpd_em.conf and ssl.conf files
Agent
Database
Application
Host
SSLCipherSuite
SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH
_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CB
C_SHA:SL_RSA_EXPORT_WITH_DES40_CBC_SH
A
71

Use a certificate from well-known Certificate
Authority (CA) for the communication
Oracle Management
Trusted certificates
Different expiry and key size that meet special
security rules
Steps:
Repository

Oracle Management
Service
Management
Agent
Database
Application
Host
Create a wallet for each OMS in the grid.

Write certificates of all the Certificate
Authorities in the certificate chain into file
trusted_certs.txt.
Download file trusted_certs.txt file to agents
host machines
Restart Agent after running the add_trust_cert
command.
emctl secure add_trust_cert -trust_certs_loc
<location of trusted_certs.txt file>
Secure OMS and restart it.
emctl secure oms -wallet <location of wallet>
-trust_certs_loc <loc of trusted_certs.txt>
72

Firewall between browsers and Grid

Control Console
Firewall
Web-based
Grid Control
Browser
7777
7778
4443
Oracle Management
Service(OMS)
Configure the firewall to allow Grid

Control Console to receive HTTP traffic
over 7778
Or 7777 if Web cache is used in OMS
home
If Grid Control Console is secured as

mentioned earlier, configure firewall to
allow Grid Control Console to receive
HTTPS traffic over port 4443
73

Management
Oracle Management
Service(OMS)
SQL*Net
Firewall
Repository
Configure firewall between OMS and

Repository to allow Oracle Net traffic
flow
As mentioned earlier, to secure the
communication between OMS and Repository,
we need to enable Oracle ASO for Repository
ASO supports the following two types of
firewalls
Application proxy-based firewalls, such as
Network Associates Gauntlet, or Axent
Raptor
Stateful packet inspection firewalls, such as
Check Point Firewall-1, or Cisco PIX
Firewall
Some vendors firewalls can be configured to
recognize Oracle*Net traffic with their Oracle
Net Proxy Traffic Kits
Otherwise, define an ACL that allows traffic
flow between the subnet hosting the OMS
and the subnet hosting the repository
74
Privilege Propagating Group
Privilege Propagating Group

A special group that the privileges granted on will be propagated to its
nested and direct members
For a normal group, no matter what privileges (FULL, OPERATOR
or VIEW) on the group is granted to you, youll only get VIEW
privileges on the group members
System privilege Create Privilege Propagating Group is required to
create this type of group
Full privilege on the target is required to add the target as a member
of a group
emcli verb to convert the normal group and privilege propagating
group
emcli modify_group privilege_propagating =true/false
Privilege Propagating System, Redundancy Group, Aggregate

Services
75

Oracle Management
Service(OMS)
Firewall
My Oracle
Support
Configure OMS to use proxy server for its its

connections to My Oracle Support to check
CPUs
Update the following OMS properties via
emctl set property command:
emctl set property name <property>
-value <value>
PROXYHOST=proxyhostname.domain
PROXYPORT=port
If there are some agents on the hosts that
are inside the firewall, set dontProxyfor
property for these hosts
dontPROXYFor=
hostname1,hostname2
76
Manage Enterprise Manager Security

Monitor its own Security
Security Policies
Security at a glance
Security Violations
Help you quickly identify systems that are

not in compliance
Out-of-box policies adopted from industry
best practices
Customize policies to meet specific security
need in your organization
Helps you to quickly focus on security
issues by showing statistics about security
policy violations and noting the critical
security patches that have not been applied
Compliance scores and Violation flux
Notification of violations
E-mail, Page, SNMP Traps, etc.
77
Manage Enterprise Manager Security

Fix its Own Security Violations
Corrective actions to remediate

violations
CPU Advisories
Patching automation
Connects to MOS to discover and

pull in new patches
Rapidly deploys security patches
Corrective Actions
Security Violations
78

OEM Security Best Practices

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OEM Security Best Practices

Uploaded by

Copyright:

Available Formats

1

<Insert Picture Here>

Oracle Enterprise Manager Security Best Practices

The following is intended to outline our general

Oracle Enterprise Manager Overview

<Insert Picture Here>

Oracle Enterprise Manager Overview

<Insert Picture Here>

2010 Oracle Corporation

Enterprise Manager Security Certification

Enterprise Manager security feature

Oracle Enterprise Manager Architecture Overview

Oracle Management Agent (Management Agent)

Oracle Enterprise Manager Architecture Overview

Oracle Management Service (OMS)

Oracle Enterprise Manager Architecture Overview

Oracle Management Repository (Management Repository)

Oracle Enterprise Manager Architecture Overview

Grid Control Console

Oracle Enterprise Manager Overview

<Insert Picture Here>

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Data confidentiality and integrity

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Available and usable upon demand by an authorized entity

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Password crack attacks

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Enterprise Security Considerations and Threats

Data confidentiality and integrity

Password crack attacks

Oracle Enterprise Manager Security Overview

1. Enterprise Manager Infrastructure

Enterprise Manager Infrastructure Security

Enterprise Manager Infrastructure

Grid Control Console

Infrastructure Security Best Practices

Apply all security patches

Use privilege delegation tool such as

Disable owner account , oracle, direct log in to

Infrastructure Security Best Practices

Restrict operation system access

Limiting the number of OS users with access on Oracle

Grid Control Console

Restrict network access to the Repository

Please refer to the link for more information

Infrastructure Security Best Practices

Protect WebLogic Server Home directory

Create no fewer than two user accounts with

To ensure one user maintains account access in

Infrastructure Security Best Practices

Deploy agent via pushing agents

Secure Shell (SSH) protocol is used