1 / 24

Securing Grid Control

Securing Grid Control. Objectives. After completing this lesson, you should be able to: Describe the security options available for Oracle Management Service and Oracle Management Agent Configure Grid Control for use with proxy servers and through firewalls

sonel
Download Presentation

Securing Grid Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Grid Control

  2. Objectives • After completing this lesson, you should be able to: • Describe the security options available for Oracle Management Service and Oracle Management Agent • Configure Grid Control for use with proxy servers and through firewalls • Authenticate Grid Control administrators using Single Sign-On • Configure Grid Control for use with Enterprise User Security

  3. Grid Control Security • Grid Control security has two primary goals: • Ensuring secure transfer of data between Grid Control components • Denying unauthorized users access to Grid Control monitoring data and administrative controls

  4. Securing Grid Control • Enterprise Manager Framework Security provides safe and secure communication between the Grid Control components through: • Working with security features of Oracle HTTP Server • Implementing HTTPS and Public Key Infrastructure (PKI) components for communications between Oracle Management Service (OMS) and Oracle Management Agents • Using Oracle Advanced Security for communications between OMS and the Management Repository

  5. Grid Control Security Framework • Grid Control Security Framework provides secure (encrypted) communication between Grid Control components: • Agent <-> OMS • OMS <-> Repository OC4J EM Web Cache OHS OMS Encrypted channel Encrypted channel

  6. Verify that Oracle Management Agents Are Secure

  7. Managing Agent Registration Passwords • Use Grid Control to: • Change agent registration passwords • Create or remove additional registration passwords

  8. Refusing Nonsecure Uploads • Configure OMS to refuse unencrypted uploads. • Stop all OMS services. • Configure OMS to refuse uploads via HTTP. • Start all OMS services. $ emctl secure lock

  9. Securing OMS–Repository Communication • To secure communication between the OMS and repository, enable the Oracle Advanced Security Option (ASO) for: • Repository • OMS • Agent monitoring the repository database

  10. Enabling ASO for the Repository • Modify ORACLE_HOME/network/admin/sqlnet.orato request encryption: • SQLNET.ENCRYPTION_SERVER • SQLNET.CRYPTO_SEED SQLNET.ENCRYPTION_SERVER=REQUESTED SQLNET.CRYPTO_SEED="abcdefg123456789" OMR

  11. Enabling ASO for Each OMS • ASO for the OMS is configured through entries in OMS_HOME/sysman/config/emoms.properties. • Stop and restart the OMS to implement the new parameters. oracle.sysman.emRep.dbConn.enableEncryption=TRUE oracle.net.encryption_types_client=(DES40C) oracle.net.encryption_client=REQUESTED

  12. Enabling ASO for the Agent • Create AGENT_HOME/network/admin/sqlnet.oraas a text file with the following entry: • SQLNET.CRYPTO_SEED SQLNET.CRYPTO_SEED="abcdefg123456789"

  13. Securing Application Server Control • Stand-alone Application Server Control console may also be configured for secure operation: • Stop the stand-alone console: • emctl stop iasconsole • Secure the stand-alone console: • emctl secure em • Start the stand-alone console: • emctl start iasconsole

  14. Enabling Enterprise Manager Security Framework • To enable Enterprise Manager Security Framework, the components must be configured in a specific order: • Secure the OMS (done by default in Grid Control R2). • For each Oracle Management Agent, stop it, secure it, and restart it:emctl stop agent emctl secure agent emctl start agent • When all agents are secure, lock the OMS:emctlsecure lock

  15. Configuring Enterprise Manager for Firewalls • Before configuring your firewall, consider the following: • It should be the last phase of the Enterprise Manager deployment. • For existing firewalls, open default Enterprise Manager communication ports until the installation and configuration processes are complete. • If enabling Enterprise Manager Framework Security, do not secure the agents until you confirm that HTTP and HTTPS traffic between the agent and Management Repository works. • After confirming that the OMS and Oracle Management Agents can communicate, complete the transition into secure mode and change firewall configuration as necessary.

  16. Firewall Configuration for Grid Control Components • Firewalls between the browser and the Grid Control console • Oracle Management Agent protected by a firewall • Management Service protected by a firewall • Firewalls between the Management Service and the Management Repository • Firewalls between Grid Control and a managed database target • Firewalls used with multiple Management Services • Firewalls to allow ICMP and UDP traffic for beacons • Firewalls when managing Oracle Application Server

  17. Configuring the Agent for Proxy Communication • To configure the agent so that it communicates via a proxy server, perform the following steps: • Stop the Oracle Management Agent. • Add proxy information to AGENT_HOME/sysman/config/emd.properties: • REPOSITORY_PROXYHOST • REPOSITORY_PROXYPORT • Start the Oracle Management Agent. Proxy server

  18. Configuring the OMS for Proxy Communication • To configure the OMS so that it communicates via a proxy server, perform the following steps: • Stop the OMS. • Add proxy information to OMS_HOME/sysman/config/emoms.properties. • Start the OMS. OC4J EM Web Cache OHS Proxy server OMS

  19. Authenticating Grid Control Administrators • Grid Control administrators are: • Authenticated as repository database users • Created and managed through the Grid Control console • If desired, administrators may be created, managed, and authenticated via Oracle Single Sign-On.

  20. Oracle Single Sign-On • Single Sign-On (SSO) is a component of Oracle Application Server that enables users to log in to Web applications by using a single username and password. • Configuring Grid Control to use Single Sign-On is a two-step process: • Configure the OMS to use SSO. • Add Grid Control users.

  21. Configuring the OMS for SSO • To configure the OMS to use SSO, perform the following steps: • Stop the OMS. • Reconfigure the OMS to use SSO. • Start the OMS. emctl config sso - –host <SSO Server> - –port <SSO DB Listener Port> - –sid <SSO DB SID> - –pass <DB password for orasso> - –das <URL for OIDDAS server> OC4J EM Web Cache OHS OMS

  22. Enterprise User Security • With Enterprise User Security, database users are authenticated through a centralized directory. • Instead of storing management credentials for each target database, the OMS may be configured to use Enterprise User Security. Grid Control Oracle Internet Directory

  23. Configuring the OMS forEnterprise User Security • To configure an OMS for use with Enterprise User Security, perform the following steps: • Stop all OMS services. • Edit emoms.properties to enable Enterprise User Security. • Start OMS services. OC4J EM Web Cache OHS OMS

  24. Summary • In this lesson, you should have learned how to: • Describe the security options available for Oracle Management Service and Oracle Management Agent • Configure Grid Control for use with proxy servers and through firewalls • Authenticate Grid Control administrators using Single Sign-On • Configure Grid Control for use with Enterprise User Security

More Related