Securing Grid Control

Download Report

Transcript Securing Grid Control

Securing Grid Control

Objectives

After completing this lesson, you should be able to:

•

Describe the security options available for Oracle Management Service and Oracle Management Agent

•

Configure Grid Control for use with proxy servers and through firewalls

•

Authenticate Grid Control administrators using Single Sign-On

•

Configure Grid Control for use with Enterprise User Security

Grid Control Security

Grid Control security has two primary goals:

•

Ensuring secure transfer of data between Grid Control components

•

Denying unauthorized users access to Grid Control monitoring data and administrative controls

Securing Grid Control

Enterprise Manager Framework Security provides safe and secure communication between the Grid Control components through:

• •

Working with security features of Oracle HTTP Server Implementing HTTPS and Public Key Infrastructure (PKI) components for communications between Oracle Management Service ( OMS) and Oracle Management Agents

•

Using Oracle Advanced Security for communications between OMS and the Management Repository

Grid Control Security Framework

Grid Control Security Framework provides secure (encrypted) communication between Grid Control components:

• •

Agent <-> OMS OMS <-> Repository OC4J EM

5 - 5

Encrypted channel Web Cache OHS OMS Encrypted channel

Verify that Oracle Management Agents Are Secure

Managing Agent Registration Passwords

Use Grid Control to:

•

Change agent registration passwords

•

Create or remove additional registration passwords

Refusing Nonsecure Uploads

Configure OMS to refuse unencrypted uploads.

Stop all OMS services.

Configure OMS to refuse uploads via HTTP.

Start all OMS services.

5 - 8

$ emctl secure lock

Securing OMS –Repository Communication

To secure communication between the OMS and repository, enable the Oracle Advanced Security Option (ASO) for: 1.

Repository OMS Agent monitoring the repository database

Enabling ASO for the Repository

Modify ORACLE_HOME/network/admin/sqlnet.ora

to request encryption:

•

SQLNET.ENCRYPTION_SERVER

•

SQLNET.CRYPTO_SEED

SQLNET.ENCRYPTION_SERVER=REQUESTED SQLNET.CRYPTO_SEED="abcdefg123456789" OMR

Enabling ASO for Each OMS

ASO for the OMS is configured through entries in OMS_HOME/sysman/config/emoms.properties

oracle.sysman.emRep.dbConn.enableEncryption=TRUE oracle.net.encryption_types_client=(DES40C) oracle.net.encryption_client=REQUESTED Stop and restart the OMS to implement the new parameters.

Enabling ASO for the Agent

Create AGENT_HOME/network/admin/sqlnet.ora

text file with the following entry: as a

•

SQLNET.CRYPTO_SEED

SQLNET.CRYPTO_SEED="abcdefg123456789"

Securing Application Server Control

Stand-alone Application Server Control console may also be configured for secure operation:

•

Stop the stand-alone console:

–

emctl stop iasconsole

•

Secure the stand-alone console:

–

emctl secure em

•

Start the stand-alone console:

–

emctl start iasconsole

Enabling Enterprise Manager Security Framework

To enable Enterprise Manager Security Framework, the components must be configured in a specific order: 1.

Secure the OMS (done by default in Grid Control R2).

For each Oracle Management Agent, stop it, secure it, and restart it: emctl stop agent emctl secure agent emctl start agent 3.

When all agents are secure, lock the OMS: emctl secure lock

Configuring Enterprise Manager for Firewalls

Before configuring your firewall, consider the following:

•

It should be the last phase of the Enterprise Manager deployment.

•

For existing firewalls, open default Enterprise Manager communication ports until the installation and configuration processes are complete.

•

If enabling Enterprise Manager Framework Security, do not secure the agents until you confirm that HTTP and HTTPS traffic between the agent and Management Repository works.

•

After confirming that the OMS and Oracle Management Agents can communicate, complete the transition into secure mode and change firewall configuration as necessary.

Firewall Configuration for Grid Control Components

• • • • • • • •

Firewalls between the browser and the Grid Control console Oracle Management Agent protected by a firewall Management Service protected by a firewall Firewalls between the Management Service and the Management Repository Firewalls between Grid Control and a managed database target Firewalls used with multiple Management Services Firewalls to allow ICMP and UDP traffic for beacons Firewalls when managing Oracle Application Server

Configuring the Agent for Proxy Communication

To configure the agent so that it communicates via a proxy server, perform the following steps: 1.

Stop the Oracle Management Agent.

Add proxy information to AGENT_HOME/sysman/config/emd.properties

– –

REPOSITORY_PROXYHOST REPOSITORY_PROXYPORT 3.

Start the Oracle Management Agent.

5 - 19

Proxy server

Configuring the OMS for Proxy Communication

To configure the OMS so that it communicates via a proxy server, perform the following steps: 1.

Stop the OMS.

Add proxy information to OMS_HOME/sysman/config/emoms.properties

Start the OMS.

OC4J EM

5 - 20

Proxy server

Web Cache OHS OMS

Authenticating Grid Control Administrators

Grid Control administrators are:

•

Authenticated as repository database users

•

Created and managed through the Grid Control console If desired, administrators may be created, managed, and authenticated via Oracle Single Sign-On.

Oracle Single Sign-On

• •

Single Sign-On (SSO) is a component of Oracle Application Server that enables users to log in to Web applications by using a single username and password.

Configuring Grid Control to use Single Sign-On is a two-step process: 1. Configure the OMS to use SSO.

2. Add Grid Control users.

Configuring the OMS for SSO

To configure the OMS to use SSO, perform the following steps: 1.

Stop the OMS.

Reconfigure the OMS to use SSO.

Start the OMS.

emctl config sso –host –port –sid –pass –das -

Web Cache OHS OC4J EM OMS

Enterprise User Security

• •

With Enterprise User Security, database users are authenticated through a centralized directory.

Instead of storing management credentials for each target database, the OMS may be configured to use Enterprise User Security.

5 - 24

Grid Control Oracle Internet Directory

Configuring the OMS for Enterprise User Security

To configure an OMS for use with Enterprise User Security, perform the following steps: 1.

Stop all OMS services.

Edit emoms.properties

to enable Enterprise User Security.

Start OMS services.

OC4J EM

Web Cache OHS OMS

Summary

In this lesson, you should have learned how to:

•

Describe the security options available for Oracle Management Service and Oracle Management Agent

•

Configure Grid Control for use with proxy servers and through firewalls

•

Authenticate Grid Control administrators using Single Sign-On

•

Configure Grid Control for use with Enterprise User Security