Home / Educational Content / Database & Technology / SELECT Journal / Oracle Enterprise Manager 12c (EM 12c) Infrastructure and Operational Security

Oracle Enterprise Manager 12c (EM 12c) Infrastructure and Operational Security


By Janet Wakeley
Edited by Ray Smith

Enterprise Manager Cloud Control (EM 12c) is system management software that provides centralized monitoring, administration, and lifecycle management functionality. The operational control and infrastructure components of the tool require security considerations including authentication, authorization, and encryption to ensure proper integrity and availability. This document will take a look at the various components and the options for securing them and will provide recommendations based on best practices and business constraints.

Security Overview

A defense-in-depth approach to securing the EM 12c infrastructure ensures that all layers of the technology stack are evaluated for potential risks and secured appropriately. At the same time, it is important to avoid impeding the productivity gains afforded by the tool with an overzealous or unsuitable locking down of the environment. It is important to understand the threats and vulnerabilities so appropriate countermeasures can be deployed.

Confidentiality, integrity, and availability — also known as the security triad — are the key attributes to keep in mind when identifying and applying security standards to hardware, software, and communications that comprise an information system. Confidentiality is the term used to describe the prevention of information disclosure to unauthorized individuals or systems; integrity means that data cannot be modified undetectably; and for any information system to serve its purpose, the information must be available when needed.

Table 1 is a high-level overview of typical security concerns and some of the protections used to mitigate the risk of a vulnerability being exploited. It is not meant to be an exhaustive list but, rather, provide a quick snapshot of some common information system security concerns and mitigating controls.

Table 1

IT security controls are often implemented without a proper risk analysis being completed. The result is an all-or-nothing approach, where the controls can either far exceed adequate protections or fall drastically short of preventing even the most common attacks. It is important to understand not only the components and communication that make up the system, but also the environment in which it is being deployed and the targets it is managing to do an accurate risk assessment. Risk is the likelihood that potential threats may exploit vulnerabilities. It is important to note that the loss potential of some risks may not warrant the cost of protecting against it. Also, the degree of risk may vary greatly depending on the environment (e.g., managing hosted customer applications in the cloud versus one used to manage top secret government document repositories).

Figure 1: Enterprise Manager Components and Communication Links

Figure 1 is a simplified diagram showing the main components of a typical Enterprise Manager 12c configuration and the communication paths between them. The diagram shows six main components:

  • HTML Console
  • Web Logic Server (WLS) hosting the Oracle Management Service (OMS)
  • Oracle Database Repository
  • Target agent(s)
  • Target database(s) and other managed target technologies
  • Oracle Corporation

There are five critical communication links:

  • OMS – Console
  • OMS – Target agent(s): Including agents deployed on the OMS and Repository DB Host
  • OMS – Target database(s): Including the Repository DB
  • OMS – Oracle Corporation (My Oracle Support)
  • OMS – Other managed Target Technologies

The following sections review the components, the communication links between them and offer recommendations for securing them.

HTML Console

The HTML Console is used by administrators to access the Oracle HTTP server hosting EM 12c. Typically, this would be PC type hardware using browser software such as Microsoft Internet Explorer or Mozilla Firefox and communicating remotely to and from the server hosting the EM 12c application. As such, admin messages could be intercepted, spoofed or falsified. Oracle provides the option to use the unsecured HTTP protocol or the encrypted HTTPS (SSL/TLS over HTTP) protocol. The latter is the default in EM 12c. If stricter rules are required, a firewall can be used to further restrict access.

Another key consideration is that some data from EM 12c can be downloaded to the remote PC, such as inventory reports, configuration data, and target compliance details. Therefore, it may be necessary to take precautions to secure the PC against data loss, such as encrypting the hard drive, strong authentication, and access controls. If administrators work outside of your enterprise network, a VPN should be used to secure the connection. EM 12c has the ability to use an iDevice to remotely connect to Enterprise Manager for the purpose of managing incidents and problems using the Cloud Control Mobile app available from the iTunes store. This app supports connections over VPN.

Oracle Management Service

The Oracle Management Service (OMS) receives monitoring data from the various agents and loads it into the management repository. The management console retrieves data from the management repository, organizes it and then displays it as information to the administrator via the HTML console interface. Plug-ins are entities that offer management capabilities for specific target types. They work together with the OMS and the management agent to monitor targets in the environment. The mandatory management plug-ins include the following:

  • Oracle Database – used to monitor and manage Oracle Database and related targets such as RAC and ASM.
  • Oracle Fusion Middleware – used to monitor and manage Oracle Fusion Middleware products such as Oracle WebLogic Domain, Oracle WebLogic AdminServer, Oracle WebLogic Server, Oracle SOA Suite, and Oracle Web Tier.
  • Oracle MOS – used to log in to My Oracle Support from within EM 12c console, search the knowledge base, raise service requests and create patch plans and templates for patching monitored targets.

The OMS is the heart of the management system and is used to monitor and manage all the various supported targets. In order to do so, it must be allowed to connect to those targets and perform a broad set of privileged administrative activities. The security implications of this involve all aspects of confidentiality, integrity and availability and should be considered carefully and managed appropriately.

First, the machines that host the web tier, application tier and repository database should be hardened. For specific recommendations and how-to instructions for various platforms, refer to the Center of Internet Security (CIS) benchmarks. As an example, the benchmark for RedHat Linux 5 mandates installing updates, applying security patches, removing unsecure services such as rsh, rlogin, telnet, etc., and minimizing the attack surface by not installing, removing or disabling extraneous components or services. These hardening steps have the additional benefit of freeing up resources that can be used to improve the performance and availability of the OMS. Other recommendations include filesystem and network configurations, enabling auditing and logging, and implementing strong authentication and authorization controls.

In addition, Oracle recommends protecting the WebLogic Server (WLS) home directory, especially the domain directory, which contains configuration files, security files, log files and other Java EE resources for the domain. This protection is achieved by limiting the OS users who have access to the WLS home directory and limiting the number of system administrator accounts. Patching all Oracle homes is also strongly recommended, including the OMS, repository DB, agents and managed targets with the latest Critical Patch Update (CPU) patches. Patching ensures known vulnerabilities within these applications are fixed and further reduces the attack surface to prevent common exploits such as SQL injections, privilege escalations and denial-of-service.

There are additional compliance standards for database and WLS that can be applied depending on the level of security required. Refer to the “Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server” and the “Oracle Database Security Checklist” for more detailed information.

Oracle Management Service Communication

It is imperative to secure the communication between the Oracle Management Service and the various components it interacts with to ensure sensitive data such as credentials and other target data are transmitted securely.

In EM 12c, the default installation will automatically secure-lock the OMS, which requires that agents communicate only through HTTPS port and that the HTTP port is locked. This ensures that communications are always encrypted and mutually authenticated. All requests from un-secure agents are rejected by the OMS and any un-secure request from the OMS is rejected by the agent. This helps safeguard the management system from man-in-the-middle attacks occurring from within the infrastructure. To ensure the console access from the client browser is secure over SSL/TLS, the console must be locked, as well.

To enable Enterprise Manager Framework Security for the Management Service, use the emctl secure OMS utility to perform the following actions:

  • Generate a root key in the management repository. The root key is used during the distribution of Oracle wallets containing unique digital certificates for management agents.
  • Modify the WebTier to enable an HTTPS channel between the management service and management agents, independent from any existing HTTPS configuration that may be present in the WebTier.
  • Enable the management service to accept requests from management agents using Enterprise Manager Framework Security.

Note that once OMSs are running in secure-lock mode, unsecure agents will not be able to upload any data to the OMSs. Agents should be deployed using the EM 12c agent deploy job, which uses the secure SSH protocol. If manually deploying agents, protect against the possibility of unauthorized agents being installed by using one-time registration passwords that have a reasonable expiry date instead of persistent registration passwords.

The OMS can be configured in the following modes:

  • TLSv1-only mode
  • SSLv3-only mode
  • Mixed mode

Mixed mode is configured by default in EM 12c, but Oracle recommends configuring the OMS in TLSv1 only mode as a security best practice. This difference may be due to the differences between the hash functions used for the master key derivation process and that, as such, the SSL 3.0 implementations cannot be validated under the Federal Information Processing Standards (FIPS-140-2). This is not to say that TLSv1 is without security concerns. In September 2011, researchers used a Java Applet to violate “same origin policy” constraints for a long-known cipher-block-chaining (CBC) vulnerability referred to as BEAST (Browser Exploit Against SSL/TLS). Mozilla Firefox, Google Chrome, and Microsoft have all developed and released fixes to mitigate BEAST-like attacks. It can also be prevented by removing all CBC ciphers from the list of allowed ciphers.

The key takeaway here is that the cat and mouse game between security professionals and attackers continues and should be part of the risk equation when evaluating the level of control necessary to secure the environment. This also highlights the need to look at security in a holistic view; all levels of the technology need to be updated with relevant fixes in order to prevent breaches. Often desktops and browsers are overlooked, in combination with the application server and all Java components.

Repository DB

The Oracle Enterprise Management Repository database stores information collected and used by the management agents. It consists of objects such as database jobs, packages, procedures, views, and tablespaces. As previously stated, all security best practices for securing Oracle databases and the hosts they reside on apply to the repository database as well. Special consideration should be given to the highly privileged accounts used to manage EM 12c. SYSMAN is the schema owner, and access to this account should be secured following similar procedures used to secure other privileged accounts (SYS, SYSTEM) in the environment. Users should use individual accounts and be granted only the privileges required to perform the tasks assigned to them. More information regarding authentication, authorization and audit capabilities will be discussed in detail in the operational security section of this document.

Credentials used to access hosts, databases and application servers are stored in the repository DB and may include basic username-password or strong authentication schemes such as PKI, SSH-keys and/or Kerberos. Since the credentials are stored in the repository DB, it is critical they are stored and transmitted securely.

Oracle EM 12c provides cryptographic support of sensitive data by a sign-on verification method known as the emkey. This encryption key is the master key used to encrypt/decrypt sensitive information such as passwords and preferred credentials that are stored in the repository DB. The key is originally stored in the repository, then removed and copied to the credential store during the installation of the first OMS. A backup of this file should be generated and stored securely; without it, OMS will fail to start. By storing the key separately from the Oracle Enterprise Manager schema, the sensitive data in the repository remains inaccessible to the schema owner and other SYSDBA (highly privileged) users.

Repository DB Communication

The Oracle Net foundation layer establishes and maintains the connection between the client application and database server using Transparent Network Substrate (TNS) technology, which enables peer-to-peer application connectivity. The Oracle protocol support layer is responsible for mapping TNS functionality to industry-standard protocols used in the client/server connection. The default protocol used by the repository database is TCP/IP, which means data will be transmitted in clear text. In order to encrypt the data, the Oracle Advanced Security Option (ASO) is required to enable TCP/IP with SSL and is a separately licensed product provided by Oracle.

The credentials stored in the EM 12c repository DB are encrypted by the emkey and are protected. Other data stored in the repository consist of items such as infrastructure configurations, inventory, performance metrics, and compliance metrics and, as such, may not warrant the cost associated with additional security controls. Note that if EM 12c is used to manage databases containing classified or regulated data, administrators have been granted access privileges to that data, and the data is not encrypted, it could be transmitted in clear text. If the repository DB is the only database on the host, you can restrict network access to the repository DB host by configuring the Oracle listener to only accept requests from OMS nodes by adding the following parameters in the TNS_ADMIN/protocol.ora file:

  • tcp.validnode_checking =YES
  • tcp.excluded_nodes = (list of IP addresses)
  • tcp.invited_nodes = (list of IP addresses of OMS nodes)

Advanced Security Option

Oracle Advanced Security Option (ASO) ensures the security of data transferred to and from an Oracle database. As previously stated, it is a separately licensed product that can be configured to improve the security of both the EM 12c infrastructure and any target Oracle databases that may benefit from the security enhancements that ASO provides. See the Oracle Database Advanced Security Administrator’s Guide 11g Release 2 for more details. If ASO is enabled for the repository DB, the OMS and agent must also be configured to connect to a secure database.

Firewalls

Firewalls protect a company’s IT infrastructure by providing the ability to restrict network traffic, examining network packets as they arrive and determining the appropriate course of action. Firewall configuration typically involves creating rules to restrict the ports and protocols that can be used on the network. Most organizations use firewalls, and it is important to understand how to deploy Enterprise Manager 12c components with firewalls to gain the maximum benefit of protection while minimizing any potential negative impact they may have on the effectiveness of the tool. Oracle suggests that firewall configuration should be the last phase of EM 12c installation, or if you are installing in an environment already using firewalls, that the default EM 12c ports be open for all traffic until you complete the installation, configuration, and verification. After completing the EM 12c installation, you can view the ports assigned in the staticports.ini file on the OMS host located in MIDDLEWARE_HOME/.gcinstall_temp/. Default port values for various components are shown in Table 2 on the next page:

Table 2

To configure the management agent installed on a host protected by a firewall to communicate with an OMS on the other side of the firewall, perform the following tasks:

  • Configure the management agent to use a proxy server for uploads to the management service.
  • Configure the firewall to allow incoming HTTP traffic from the management service on the management agent port.

To configure the OMS installed on a host protected by a firewall to communicate with management agents on the other side of the firewall, perform the following tasks:

  • Configure the management service to use a proxy server for its communications to the management agents.
  • Configure the firewall to allow incoming HTTP traffic from the management agents on the management repository upload port.

Access to My Oracle Support from within EM 12c provides customers with the ability to search the knowledge base, raise service requests and create patch plans for managed targets. Meantime to resolution (MTTR) can be greatly reduced by providing in-context information specific to the customer’s infrastructure by uploading configuration data on a regular basis. If internal security policies permit, Oracle Management Server may be enabled to access My Oracle Support by making the following URLs available through the firewall: ccr.oracle.com, login.oracle.com, support.oracle.com, and updates.oracle.com and setting up a proxy server so EM 12c can access My Oracle Support. Be sure to review the Oracle Configuration Manager Security Overview documentation to understand the information that is collected and how it is secured by Oracle Corporation.

Other Security Considerations

ICMP

Oracle Management Service uses the Internet Control Message Protocol (ICMP) Echo Request to check the status of target host machines. If the ICMP Echo Request is blocked by a firewall, the target host machine will appear to be down. Enable the ICMP Echo Request so that the ping command can be issued by the OMS to check the status of the machine. The default port (7) is used for the ICMP Echo Request.

Auto-Discovery of Targets

Another feature of EM 12c that may be impeded by certain firewall configurations is the ability to auto-discover targets. In automatic host discovery, a single management agent is tasked to scan the entire network based on IP address ranges. It then returns a list of unmanaged host machines, a list of ports in use and the name of the service using each of the ports. Because the network will be scanned, the sudo privilege delegation must be set on the management agent host that will perform the scan. Typically, the management agent installed on the OMS host is used to perform the scan.

Notification System

The notification system allows EM 12c administrators to be notified when specific incidents, events or problems arise. It also has the capability to perform actions such as executing OS commands, scripts and PL/SQL procedures based on specific incidents or events. The notification system can also send traps to Simple Network Management Protocol (SNMP) enabled third-party applications.

Typically, notifications are sent via email. Before Oracle Enterprise Manager can send email notifications, an outgoing mail (SMTP) server must be set up for use by the notification system. Setup parameters include one or more outgoing mail server names, the mail server authentication credentials, the sender name for notifications and the email address to be used. The notification system can optionally be configured to use secure connections by entering SSL in the secure connection field. Email is encrypted using the TLS protocol if the mail server supports it; otherwise, the email is automatically sent as plain text.

Software Library

Oracle Software Library is a repository that stores software entities such as software patches, virtual appliance images, reference gold images, and application software. In addition to storing them, it can be used to maintain versions, maturity levels and life cycles of these software entities. The software library leverages the organization’s existing IT infrastructure (file servers, web servers, and storage systems) to stage the files to host targets as part of provisioning or patching activity. Two types of locations are available: an upload file location and referenced file locations. For single OMS environments, the software library can be configured on either the host where the OMS is running or in a shared location.

With EM 12c, a new feature called referenced file location has been introduced, wherein software library entities can refer to files that are stored on another host. These locations are read-only for the software library and are not used for uploading files. Referenced file locations support three storage options:

  1. HTTP: an HTTP storage location that represents a base URL, which acts as the source of files that can be referenced
  2. NFS: an NFS storage location that represents an exported file system directory on a server
  3. Agent: An agent storage location can be any host monitored by an Enterprise Manager Agent. The agent can be configured to serve the files located on that host.

From a security point of view, the software library should be protected against unwanted alterations to the source patches and software images. Adequate space should be made available for the library to store and manage the essential software used in the environment being managed by EM 12c. Uploads and other maintenance activities are supported through the credential subsystem. Note that if shared storage or referenced storage is utilized in an environment where firewalls exist between the OMS and targets, it is important to set the rules to allow appropriate communication between the shared storage location(s) and the OMS.

Information Publisher Reports

EM 12c’s reporting framework, Information Publisher, makes information about the managed environment available to audiences across your enterprise. Reports are used to present a view of monitoring information for business intelligence purposes. The reporting framework allows users to create and publish customized reports via the web or email reports to selected recipients. EM 12c renders a separate reporting website that does not require user authentication. To ensure that no sensitive information is compromised, a special system privilege must be granted to those administrators that are allowed to publish reports to the Enterprise Manager reports website. As a minimum, the administrators granted this privilege should be educated on the data classification and internal policies governing those classifications.

Operational Security

Authentication, authorization and auditing work together to provide EM 12c operational security by ensuring the identity of the users, controlling access to secure resources and functions, and establishing a high assurance of nonrepudiation. The following sections explain the EM 12c features used within these areas to provide robust operational system security.

Authenticate

The most common form of authentication is login credentials and passwords and is the default authentication method for access to EM 12c. If using this method, care should be taken to make sure a strong password policy exists and is systematically enforced to protect against password cracks or brute force attempts. The most highly privileged account is the SYSMAN account. This account owns the underlying schema and objects of the repository DB and should be secured by limiting its use and the disclosure of its password to only the tool administrator.

The EM 12c authentication framework covers both the authentication to the EM 12c console and authentication to the managed targets. The tasks an administrator can perform and targets they can access depend on the roles, system privileges and target privileges granted. The super administrator can choose to let certain administrators perform only certain management tasks, access only certain targets or perform certain management tasks on certain targets. In this way, the super administrator can provide a separation of duties among the administrators.

Authentication to EM 12c

EM 12c’s authentication framework consists of pluggable authentication schemes that support authentication protocols that may already be in use. Aside from repository-based authentication, the other options listed here are separate licensable products:

  • Oracle Access Manager (OAM) SSO is the Oracle Fusion Middleware single sign-on solution utilizing the Enterprise Directory Identity Stores.
  • Repository-based authentication is the default authentication option and uses a username and password. An EM 12c administrator is also a repository DB user and, as such, may use the database password control settings via password profiles to enforce password complexity, password lifetime and the number of failed logon attempts allowed.
  • Oracle Application Server SSO-based authentication provides strengthened and centralized user identity management across the enterprise.
  • Enterprise User Security-based authentication (EUS) option enables the creation and storage of enterprise users and roles for the Oracle database in an LDAP-compliant directory server. EUS helps centralize the administration of users and roles across multiple databases. If the managed databases are also configured with EUS, drilling down into a managed database allows EM 12c to directly connect to the database as the EM 12c administrator without displaying a login page.
  • When using an authentication scheme based on Oracle Internet Directory (OID) as the identity store, plug in the OID-based authentication scheme to allow applications to authenticate users against the OID.
  • When using a Microsoft Active Directory as an identity store, plug in this scheme to authenticate users against the Microsoft Active Directory.

Authenticating EM Users to Targets

Credentials are typically required to access targets such as databases, application servers, and hosts. As detailed in the infrastructure security section, credentials are encrypted using emkey and stored in the repository DB. Beginning with Enterprise Manager 12c, the credential subsystem supports strong authentication schemes such as PKI, SSH-keys, and Kerberos. The use of PKI and Kerberos require Oracle Advanced Security Option licensing for all the Oracle database targets where it is deployed. SSH-key based host authentication, used by jobs, deployment procedures and other EM 12c subsystems, is now also supported.

Credentials can be classified into the following categories:

  • Named credentials
  • Job credentials
  • Monitoring credentials
  • Preferred credentials

Named Credential

Administrators define and store credentials within EM 12c as a named entity. Named credentials can be a username/password or a public key-private key pair and are used for performing operations such as running jobs, patching, and other system management tasks. There are two categories of named credentials: global-named credentials and target-named credentials. Global-named credentials are independent entities not associated with any objects at the time of creation, whereas target-named credentials are associated with individual targets when they are created.

Access control for credentials ensure that only credential owners can grant privileges on their created credentials to other users, and the credentials owned by an administrator will be deleted if that administrator is deleted from EM 12c because sharing ownership is not allowed. There are three privilege levels for all credentials: view, edit and full. Full allows an administrator to edit all details, including the authentication scheme, and delete the credential. Edit allows an administrator to change the password or public/private key pair but not the name of the credential or the authentication scheme. View allows the administrator to view the structure and username of the credential but not alter sensitive information such as the password. The view privilege also allows the grantee to use the credential for running jobs, patching and other system maintenance operations within EM 12c.

Job Credentials

The job system uses the credential subsystem to retrieve the credentials required to submit a job on the targets. When submitting a job, options to use preferred credentials, named credentials or create new credentials are displayed.

Monitoring Credentials

The management agent uses monitoring credentials to monitor certain types of targets. Monitoring credentials can also potentially be used by management applications to connect directly to the target from the OMS.

Preferred Credentials

Preferred credentials are used to simplify access to managed targets and set on a per-user basis. With the preferred credentials set, users can access a target without being prompted to log into the target.

SSH Key-based Host Authentication

Solaris Secure Shell (SSH) allows data to be encrypted over the network and can be used to protect against attacks such as IP spoofing, IP source routing, and DNS spoofing. The agent acts as a Java SSH client and connects to the host using the username/password provided in the credential. To create SSH authentication keys, you use the SSH-keygen utility available on *NIX systems. This application provides different options to create keys with different strengths; for example, RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. SSH keys can also be used for passwordless authentication to a host. This requires proper configuration of the host and source system in order to bypass the password.

Pluggable Authentication Modules (PAM) Support for Hosts

Pluggable authentication modules (PAM) are used to integrate multiple low-level authentication schemes into a high-level application programming interface (API), allowing programs that rely on authentication to be written independently of the underlying authentication scheme. The use of PAM can leverage other authentication mechanisms such as LDAP, RADIUS, and Kerberos. If host authentication is configured over PAM, the management agent needs to be configured accordingly to enable PAM authentication. Refer to MOS note 422073.1 for deployment details:

Note: The local password file (usually /etc/passwd) will be checked and used first. This should be synchronized with the LDAP password if it is being used. If this fails, the management agent will switch to the external authentication module. The EM 12.1 agent follows this same behavior unless the host administrator has created a PAM service called “emagent.” If the “emagent” PAM service exists, then only PAM authentication will be attempted.

Sudo and PowerBroker Support

EM 12c preferred credentials allow the use of two types of privilege delegation tools: Sudo and PowerBroker. Use the EM CLI or the manage privilege delegation settings page to set/edit privilege delegation settings for a host.

The Sudo command allows a permitted user to execute a command as the super user or another user, as specified in the Sudoers file. If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, Sudo requires that users authenticate themselves with their password. Once a user has been authenticated, a timestamp is updated and the user may then use Sudo without a password for a short period of time (five minutes unless overridden in the Sudo configuration file). EM 12c authenticates the user using Sudo and executes the script as sudo.

BeyondTrust Powerbroker enables UNIX system administrators to specify the circumstances under which other people may run certain programs such as root or other important accounts. It can access existing programs, as well as its own set of utilities that execute common system administration tasks. Users can work from within a restricted shell or editor to access certain programs or files as root. See the PowerBroker documentation for detailed setup and configuration information.

Authorization

Authorization is the process of verifying that a user is permitted to do what he/ she is trying to do. Although that sounds simple enough, granting the proper privileges for administrators is critical to maintaining system security as well as regulatory compliance. Many factors must be considered when assigning privileges (e.g., ensuring a separation of duties and implementing a policy of granting least privilege). It may require significant work to create and manage fine-grained access control across a large organization. Oracle EM 12c attempts to ease this burden by providing predefined roles to manage a variety of resource and target types. Please refer to the Oracle Enterprise Manager Cloud Control Administrator’s Guide 12c for a detailed list of these roles and their functions.

It is important to remember that roles within EM 12c are used to manage the privileges for the tool and not the privileges on the targets managed by the tool. For example, EM 12c default roles include entries such as EM_ALL_DESIGNER that have privileges to design operational entities such as monitoring templates; EM_ALL_OPERATOR has privileges to manage EM operations and EM_ALL_VIEWER can only view EM operations. EM 12c roles can be created to provide tool privileges such as view to a group of targets. To access or drill into the targets managed by EM 12c, the administrator would need authentication and authorization on each database target. EM 12c provides the ability to ease this administration through managed credentials or by using EUS as previously outlined in the authenticating to targets section.

Privilege Propagating Groups

Another feature available to assist the EM 12c administrator responsible for assigning and maintaining privileges is privilege propagating groups. Privilege propagating groups allow administrators to grant administrator privileges across a group of targets. For example, granting operator privilege on a group to an administrator grants the operator privilege on its member targets, both for current members and for members that will be added in the future. Privilege propagating groups can contain individual targets or other privilege propagating groups. Privileges on the group can be granted to a user or a role. For example, suppose a large privilege propagating group is created and granted a privilege to a role; this group is then granted to administrators. If new targets are later added to the privilege propagating group, then the administrators receive the privileges on the target automatically. Additionally, when a new administrator is hired, the role is granted to the new administrator, who receives all the privileges on the targets automatically.

Audit Controls

Auditing is the ability to show who performed what action and when. Audit trail records can serve many purposes, such as nonrepudiation of events, regulatory compliance, and discovery of security breaches. EM 12c has a robust set of auditing capabilities, as do the managed targets. For a complete record of actions, you will need to do auditing in both the EM and the managed targets. Careful consideration must be given to exactly what truly needs to be audited because the creation of audit trail records will have an impact on the performance and capacity of the system. Also, if too many audit records are captured, audit review can become excessively time-consuming. Audit trails need to be secured in a manner that makes them tamper resistant from a nefarious user attempting to cover his or her tracks. They should also be purged or archived after they have been attested and no longer required per any regulatory mandates.

By default, EM 12c creates an audit trail for all activities associated with credentials, including creating, editing, accessing and deleting them. The audited information includes the current username, credential name, the operation performed, and operation status. The audit log contains information about the credential owner, action initiator, credential name, username, target name, and job name, along with the date and time of the operation. Sensitive fields, such as a password or private keys, are never logged.

To limit the amount of data stored in the repository, the audit data must be externalized or archived at regular intervals. The archived audit data is stored in an XML file stored in ODL format. For a complete list of audited operations, please see the Oracle® Enterprise Manager Cloud Control Administrator’s Guide 12c.

Summary

Enterprise Manager Cloud Control (EM 12c) is system management software that can be deployed in various configurations to manage a wide variety of infrastructure components and in a variety of business environments. Many options exist to secure the EM 12c infrastructure and operational control to mitigate the risks associated with the business environment it is deployed to manage. Careful planning should be done before implementing these security controls so that the effectiveness and productivity gains afforded by the tool are not unnecessarily circumvented.

References

  1. Oracle® Enterprise Manager Cloud Control Administrator’s Guide 12c Release 1 (12.1.0.1)
  2. Center of Internet Security (CIS) benchmarks
  3. Oracle® Fusion Middleware Securing a Production Environment for Oracle Web-Logic Server
  4. Oracle® Database Security Checklist
  5. My Oracle Support note 422073.1
  6. Oracle® Database Advanced Security Administrator’s Guide 11g Release 2
  7. Wp-em12c-security-best-practicesv2-149383.pdf
  8. Oracle® Database Net Services Reference 11g Release 2 (11.2)
  9. http://docs.oracle.com/cd/E11882_01/network.112/e10835/lsnrctl.htm#i553605
  10. Information Security. In Wikipedia. Retrieved March 24, 2012.
  11. Pluggable authentication module. In Wikipedia. Retrieved March 24, 2012.
  12. Password Strength. In Wikipedia. Retrieved March 24, 2012.
  13. Transport Layer Security. In Wikipedia. Retrieved March 24, 2012.
  14. Oracle® Configuration Manager Security Overview Release 10.3.0 Part Number E12881-01.

About the Author

Janet Wakeley, CISSP, works for GE Healthcare as the data management security leader with more than 14 years of experience on various Oracle technologies and more than half that time focused on security-related concerns.