Transcript Securing Grid Control
Securing Grid Control
Copyright © 2006, Oracle. All rights reserved.
Objectives
After completing this lesson, you should be able to:
•
Describe the security options available for Oracle Management Service and Oracle Management Agent
•
Configure Grid Control for use with proxy servers and through firewalls
•
Authenticate Grid Control administrators using Single Sign-On
•
Configure Grid Control for use with Enterprise User Security
5 - 2 Copyright © 2006, Oracle. All rights reserved.
Grid Control Security
Grid Control security has two primary goals:
•
Ensuring secure transfer of data between Grid Control components
•
Denying unauthorized users access to Grid Control monitoring data and administrative controls
5 - 3 Copyright © 2006, Oracle. All rights reserved.
Securing Grid Control
Enterprise Manager Framework Security provides safe and secure communication between the Grid Control components through:
• •
Working with security features of Oracle HTTP Server Implementing HTTPS and Public Key Infrastructure (PKI) components for communications between Oracle Management Service ( OMS) and Oracle Management Agents
•
Using Oracle Advanced Security for communications between OMS and the Management Repository
5 - 4 Copyright © 2006, Oracle. All rights reserved.
Grid Control Security Framework
Grid Control Security Framework provides secure (encrypted) communication between Grid Control components:
• •
Agent <-> OMS OMS <-> Repository OC4J EM
5 - 5
Encrypted channel Web Cache OHS OMS Encrypted channel
Copyright © 2006, Oracle. All rights reserved.
Verify that Oracle Management Agents Are Secure
5 - 6 Copyright © 2006, Oracle. All rights reserved.
Managing Agent Registration Passwords
Use Grid Control to:
•
Change agent registration passwords
•
Create or remove additional registration passwords
5 - 7 Copyright © 2006, Oracle. All rights reserved.
Refusing Nonsecure Uploads
Configure OMS to refuse unencrypted uploads.
1.
Stop all OMS services.
2.
Configure OMS to refuse uploads via HTTP.
3.
Start all OMS services.
5 - 8
$ emctl secure lock
Copyright © 2006, Oracle. All rights reserved.
Securing OMS –Repository Communication
To secure communication between the OMS and repository, enable the Oracle Advanced Security Option (ASO) for: 1.
2.
3.
Repository OMS Agent monitoring the repository database
5 - 10 Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for the Repository
Modify ORACLE_HOME/network/admin/sqlnet.ora
to request encryption:
•
SQLNET.ENCRYPTION_SERVER
•
SQLNET.CRYPTO_SEED
SQLNET.ENCRYPTION_SERVER=REQUESTED SQLNET.CRYPTO_SEED="abcdefg123456789" OMR
5 - 11 Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for Each OMS
ASO for the OMS is configured through entries in OMS_HOME/sysman/config/emoms.properties
.
oracle.sysman.emRep.dbConn.enableEncryption=TRUE oracle.net.encryption_types_client=(DES40C) oracle.net.encryption_client=REQUESTED Stop and restart the OMS to implement the new parameters.
5 - 12 Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for the Agent
Create AGENT_HOME/network/admin/sqlnet.ora
text file with the following entry: as a
•
SQLNET.CRYPTO_SEED
SQLNET.CRYPTO_SEED="abcdefg123456789"
5 - 13 Copyright © 2006, Oracle. All rights reserved.
Securing Application Server Control
Stand-alone Application Server Control console may also be configured for secure operation:
•
Stop the stand-alone console:
–
emctl stop iasconsole
•
Secure the stand-alone console:
–
emctl secure em
•
Start the stand-alone console:
–
emctl start iasconsole
5 - 14 Copyright © 2006, Oracle. All rights reserved.
Enabling Enterprise Manager Security Framework
To enable Enterprise Manager Security Framework, the components must be configured in a specific order: 1.
Secure the OMS (done by default in Grid Control R2).
2.
For each Oracle Management Agent, stop it, secure it, and restart it: emctl stop agent emctl secure agent emctl start agent 3.
When all agents are secure, lock the OMS: emctl secure lock
5 - 15 Copyright © 2006, Oracle. All rights reserved.
Configuring Enterprise Manager for Firewalls
Before configuring your firewall, consider the following:
•
It should be the last phase of the Enterprise Manager deployment.
•
For existing firewalls, open default Enterprise Manager communication ports until the installation and configuration processes are complete.
•
If enabling Enterprise Manager Framework Security, do not secure the agents until you confirm that HTTP and HTTPS traffic between the agent and Management Repository works.
•
After confirming that the OMS and Oracle Management Agents can communicate, complete the transition into secure mode and change firewall configuration as necessary.
5 - 16 Copyright © 2006, Oracle. All rights reserved.
Firewall Configuration for Grid Control Components
• • • • • • • •
Firewalls between the browser and the Grid Control console Oracle Management Agent protected by a firewall Management Service protected by a firewall Firewalls between the Management Service and the Management Repository Firewalls between Grid Control and a managed database target Firewalls used with multiple Management Services Firewalls to allow ICMP and UDP traffic for beacons Firewalls when managing Oracle Application Server
5 - 17 Copyright © 2006, Oracle. All rights reserved.
Configuring the Agent for Proxy Communication
To configure the agent so that it communicates via a proxy server, perform the following steps: 1.
Stop the Oracle Management Agent.
2.
Add proxy information to AGENT_HOME/sysman/config/emd.properties
:
– –
REPOSITORY_PROXYHOST REPOSITORY_PROXYPORT 3.
Start the Oracle Management Agent.
5 - 19
Proxy server
Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for Proxy Communication
To configure the OMS so that it communicates via a proxy server, perform the following steps: 1.
Stop the OMS.
2.
Add proxy information to OMS_HOME/sysman/config/emoms.properties
.
3.
Start the OMS.
OC4J EM
5 - 20
Proxy server
Copyright © 2006, Oracle. All rights reserved.
Web Cache OHS OMS
Authenticating Grid Control Administrators
Grid Control administrators are:
•
Authenticated as repository database users
•
Created and managed through the Grid Control console If desired, administrators may be created, managed, and authenticated via Oracle Single Sign-On.
5 - 21 Copyright © 2006, Oracle. All rights reserved.
Oracle Single Sign-On
• •
Single Sign-On (SSO) is a component of Oracle Application Server that enables users to log in to Web applications by using a single username and password.
Configuring Grid Control to use Single Sign-On is a two-step process: 1. Configure the OMS to use SSO.
2. Add Grid Control users.
5 - 22 Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for SSO
To configure the OMS to use SSO, perform the following steps: 1.
Stop the OMS.
2.
3.
Reconfigure the OMS to use SSO.
Start the OMS.
emctl config sso –host
-
Web Cache OHS OC4J EM OMS
5 - 23 Copyright © 2006, Oracle. All rights reserved.
Enterprise User Security
• •
With Enterprise User Security, database users are authenticated through a centralized directory.
Instead of storing management credentials for each target database, the OMS may be configured to use Enterprise User Security.
5 - 24
Grid Control Oracle Internet Directory
Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for Enterprise User Security
To configure an OMS for use with Enterprise User Security, perform the following steps: 1.
2.
Stop all OMS services.
Edit emoms.properties
to enable Enterprise User Security.
3.
Start OMS services.
OC4J EM
5 - 25 Copyright © 2006, Oracle. All rights reserved.
Web Cache OHS OMS
Summary
In this lesson, you should have learned how to:
•
Describe the security options available for Oracle Management Service and Oracle Management Agent
•
Configure Grid Control for use with proxy servers and through firewalls
•
Authenticate Grid Control administrators using Single Sign-On
•
Configure Grid Control for use with Enterprise User Security
5 - 26 Copyright © 2006, Oracle. All rights reserved.