Oracle Support Master Note for 10g Enterprise Manager Grid Control Security Framework (Doc ID 1092513.1)

 

 

For most current information refer Master Note for 10g Enterprise Manager Grid Control Security Framework (Doc ID 1092513.1)

 

 

In this Document
  Purpose
  
Scope and Application
  Master Note for 10g Enterprise Manager Grid Control Security Framework
     About Oracle Enterprise Manager Security
     Grid Control Components Security Objectives
     
Diagnostic Tools Available for Troubleshooting Grid Control Security Issues
     
Troubleshooting Grid Control Agent Secure Issues
     
Troubleshooting Grid Control OMS Secure Issues
     
Troubleshooting Host Preferred Credentials Issues
     Best Practices (Certification, Maintenance Activities, OCM, Healthcheck, CPU & PSU)
  
References


Applies to:

Enterprise Manager Grid Control - Version: 10.1.0.2 to 10.2.0.5 - Release: 10.1 to 10.2
Information in this document applies to any platform.

Purpose

This Master Note helps understand Enterprise Manager Grid Control 10g Security, presents best practices for managing the security of Oracle Enterprise Manager Grid Control deployments, and provides assistance in using diagnostics effectively to debug/troubleshoot and resolve issues encountered.

Scope and Application

This document is intended to assist Enterprise Manager Grid Control Administrators to implement Enterprise Manager Grid Control Security best practices and provides assistance in using diagnostics effectively to debug/troubleshoot and resolve issues encountered. This document covers the following topics:

  1. About Oracle Enterprise Manager Security.
  2. Grid Control Components Security Objectives.
  3. Diagnostic Tools Available for Troubleshooting Grid Control Security Issues.
  4. Troubleshooting Grid Control Agent Secure Issues.
  5. Troubleshooting Grid Control OMS Secure Issues.
  6. Troubleshooting Host Preferred Credentials Issues.
  7. Best Practices (Certification, Maintenance Activities, OCM, Healthcheck, CPU & PSU).

 

Master Note for 10g Enterprise Manager Grid Control Security Framework

About Oracle Enterprise Manager Security



Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. The goals of Oracle Enterprise Manager security are:

  • To be sure that all data transferred between Enterprise Manager components is transferred in a secure manner and that all data gathered by each Oracle Management Agent can be transferred only to the Oracle Management Service for which the Management Agent is configured.

This goal is met by enabling Enterprise Manager Framework Security. Enterprise Manager Framework Security automates the process of securing the Enterprise Manager components installed and configured on your network.

  • To be sure that sensitive data such as credentials used to access target servers are protected.

This goal is met by Enterprise Manager's encryption support. The sensitive data is encrypted with an EMKEY. By following the best practice, even the repository owner and the SYSDBA will not be able to access the sensitive data.

  • To be sure that only users with the proper privileges have access to critical monitoring and administrative data.

This goal is met by requiring username and password credentials before users can access the Enterprise Manager consoles and appropriate privileges for accessing the critical data.

  • To be sure that access to managed targets is controlled through user authentication and privilege delegation.

This goal is met by configuring the Management Agent with PAM and LDAP for user authentication and using privilege delegation tools like Sudo and PowerBroker.

=======================================================================

Grid Control Components Security Objectives

 

Category Area

Security Objective

How-To Reach the Objective

Securing Oracle Management Repository (OMR)


Secure/Encrypt data transferred to and from Repository Database

Enabling Security for the Management Repository Database


Secure/Encrypt the data transferred between the Agent and Repository Database / Database Target

Enabling Security for a Management Agent Monitoring a Secure Management Repository or Database


Change SYSMAN and MGMT_VIEW users' password

Note 270516.1: How to Change the Password of SYSMAN User in Grid Control?

Note 374382.1: How To Change The MGMT_VIEW Password Used By Grid Control Repository 

What are the Oracle Management Repository Best Practices?

- Refer to "Securing the OMR Section" in Enterprise Manager Grid Control 10g Release 5 Security Deployment - Best Practices document.

- For Oracle Database Security best practices, please refer to the 
Oracle Database Security Checklist document.

Securing Oracle Management Server (OMS)


Enable Security for the Oracle Management Service

In 10.2, OMS is secured by default while the installation of the Grid Control, for more information refer to Enabling Security for the Oracle Management Service


Enable Security with a Server Load Balancer / Multiple OMSes

Enabling Security with a Server Load Balancer / Multiple OMSes


Restrict HTTP Access to the Grid Control Console

Note 452290.1: How to secure or restrict access to the Enterprise Manager Grid Control console

Prevent Management Agents from uploading data to the Management Service over HTTP

Restricting Agents HTTP upload to the Management Service

Note 428874.1: How To Verify if the Enterprise Manager Grid Control (OMS) is Locked or Unlocked? 


Disable Weak SSLCipherSuites for OMS

Note 957952.1: How to Disable Weak SSLCipherSuites Used by Grid Control OMS and Agent 


ConfigureThird Party Certificate for HTTPS Upload Virtual Host

Configuring Third Party Certificate for HTTPS Upload Virtual Host (10.2.0.5.0 Grid Control only)


Configure Third Party Certificate for HTTPS Apache Virtual Host (Grid Control Console)

Configuring Third Party Certificate for HTTPS Apache Virtual Host (10.2.0.5.0 Grid Control only)

Securing Oracle Management Agent (OMA)


Enable security for the Oracle Management Agent

Enabling Security for the Oracle Management Agent

Secure the Agents with Server Load Balancer

> $ emctl secure agent -emdWalletSrcUrl <SLB Upload url>


For more information refer to Configure the Management Agent to Communicate Through SLB


Manage Agent Registration Passwords

Managing Agent Registration Passwords


Disable Weak SSLCipherSuites for Agent

Note 957952.1: How to Disable Weak SSLCipherSuites Used by Grid Control OMS and Agent 

Grid Control Console Authentication

What are the available Grid Control Authentication schemes?

Repository Based Authentication

Single Sign-On Based Authentication 

Enterprise User Security Based Authentication


Configure Grid Control to Use the Single Sign-On

Configuring Enterprise Manager to Use the Single Sign-On Logon Page

Registering HTTP Port (Unsecure) with Single Sign On Server

Configuring Enterprise Manager to Use Single Sign-On with the osso.conf File

Registering Single Sign-On Users as Enterprise Manager Administrators

Bypassing the Single Sign-On Logon Page


Disable SYSMAN & SYSTEM Users from Logging into Grid Control Console

Note 867360.1: How To Disable SYSMAN & SYSTEM Users from Logging into Grid Control Console 

Grid Control Authorization


What are the Available Classes of Users?

Classes of Users


What is the Privileges and Roles Definition?

Privileges and Roles


What are the Privileges Categories & the Available Privileges to Grant?

Granting Privileges

Preferred Credentials and Target Access


Credential Subsystem & Categories

Credential Subsystem

What are the Methods to Manage Credentials?

Managing Credentials Using Grid Control Console.

-Managing Credentials Using EMCLI


Configure the Grid Control Agent with PAM and LDAP to do the Authentication of Users

 Note 422073.1: How to Configure the Grid Control Agent for PAM and LDAP? 


Use of Privilege Delegation Utilities (Sudo or PowerBroker) to Access Targets, Run jobs and Collect user-defined Metrics

Sudo and PowerBroker Support

Creating a Privilege Delegation Setting

Cryptographic Support (EMKEY)


Encryption Key Configuration

EMKEY Configuration


Check the Health/Status of the EMKEY

> $ emctl status emkey


Secure the Encryption Key (EMKEY)

Secure the encryption key by removing it from the Repository

Grid Control Auditing


Setup the Auditing System for Enterprise Manager Grid Control

Enabling and Disabling Auditing using EMCLI commands (10.2.0.5.0 Grid Control only) 

Enabling and Disabling Auditing using PL/SQL (10.2.0.5.0 Grid Control only)


Configure the Audit Data Export Service

Configuring the Audit Data Export Service (10.2.0.5.0 Grid Control only)


Search the Audit Data from Grid Control Console

Searching the Audit Data (10.2.0.5.0 Grid Control only)


=======================================================================

Diagnostic Tools Available for Troubleshooting Grid Control Security Issues

  • RDA

The Remote Diagnostic Agent (RDA) can be executed specifically with the Grid Control / OMS profile name: GridControl and the Agent profile name: AGT in order to reduce the number of questions that need to be answered and also to collect all details of the OMS / Agent Home correctly.

The steps to execute the RDA with GridControl and AGT profiles are explained in:

Note 1057051.1: How to Run the RDA against a Grid Control Installation

It is highly recommended that the latest EMDiagkit is installed and executed in the OMS home, before running the RDA. This will ensure that the RDA picks up the latest data collected by the EMDiagkit.

  • EMDiagkit

The EMDiagkit is a diagnostic tool developed to assist in diagnosis and correction of Enterprise Manager 10g Framework issues. At present, the tool allows us to extract necessary troubleshooting data from the EM Repository Schema using the repvfy utility.

The details for installation, usage of EMDiagkit are available in

Note 421053.1 : EMDiagkit Download and Master Index

  • Wget

GNU Wget (or just Wget) is a computer program that retrieves content from web servers, and is part of the GNU Project. Its name is derived from World Wide Web and get, connotative of its primary function. It currently supports downloading via HTTP, HTTPS, and FTP protocols, the most popular TCP/IP-based protocols used for web browsing.

For more details, refer to the following links:

What is Wget
Downloading Wget

Note: wget is a third party tool and problems faced while using this tool cannot be supported by Oracle Support. Also, the above mentioned download links are not maintained by Oracle and hence are subject to change.

 

=======================================================================

Troubleshooting Grid Control Agent Secure Issues

To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent utility, which is located in the following directory of the Management Agent home directory:

> $ <AGENT_HOME>/bin/emctl secure agent


The emctl secure agent utility performs the following actions:

  • Obtains an Oracle Wallet from the Management Service that contains a unique digital certificate for the Management Agent. This certificate is required in order for the Management Agent to conduct SSL communication with the secure Management Service.
  • Obtains an Agent Key for the Management Agent that is registered with the Management Service.
  • Configures the Management Agent so it is available on your network over HTTPS and so it uses the Management Service HTTPS upload URL for all its communication with the Management Service.

Securing the Agent may fail at any of the above steps.

For troubleshooting steps, refer to the 
Note 731692.1: How to Troubleshoot the 10g Grid Control Agent Secure Issues. 

To find documents related to the Grid Control Agent Securing issues:

Log in to My Oracle Support then Click on the Knowledge tab.
From the left pane "Browse Knowledge" click on:
Enterprise Management -> Enterprise Manager Consoles - Packs - and Plugins -> Enterprise Manager Grid Control ->All of Enterprise Manager Grid Control.
Enter a search with the following keywords:

Securing Grid Control Agent Fails with <symptom that you have found in the log/trace files>

Some examples:
Securing Grid Control Agent Fails with 'The OMS is not set up for Enterprise Manager Security' Error
Securing Grid Control Agent Fails with "Invalid Registration password" when OMS is not Secured Properly
Securing Grid Control Agent Fails with "ERROR sec.CheckURLAvailability - caught IOException 1 java.net.ConnectException: Connection refused"


Troubleshooting Grid Control OMS Secure Issues

To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms utility, which is located in the following subdirectory of the Management Service home directory:

> $ <OMS_HOME>/bin/emctl secure oms


The emctl secure oms utility performs the following actions:

  • Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Agents.
  • Modifies your Oracle HTTP Server to enable an HTTPS channel between your Management Service and Management Agents, independent from any existing HTTPS configuration that may be present in your Oracle HTTP Server.
  • Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.

Securing the OMS may fail at any of the above steps.

For troubleshooting steps, refer to the 
Note 1107097.1: How to Troubleshoot the 10g Grid Control OMS Secure Issues 

To find  documents related to the Grid Control OMS Securing issues:

Log in to My Oracle Support then Click on the Knowledge tab.
From the left pane "Browse Knowledge" click on:
Enterprise Management -> Enterprise Manager Consoles - Packs - and Plugins -> Enterprise Manager Grid Control ->All of Enterprise Manager Grid Control.
Enter a search with the following keywords:

Running 'emctl secure oms' Fails <symptom that you have found in the log/trace files>

Some examples:

Running 'emctl secure oms' Fails with ORA-06512: at "SYSMAN.MGMT_TIME_SYNC"
Running 'emctl secure oms' Fails With Undefined subroutine &EmctlCommon::promptUserPasswds

Troubleshooting Host Preferred Credentials Issues

Preferred credentials simplify access to managed targets by storing target login credentials in the Management Repository. With preferred credentials set, users can access an Enterprise Manager target that recognizes those credentials without being prompted to log into the target. Preferred credentials are set on a per user basis, thus ensuring the security of the managed enterprise environment.

For troubleshooting Host Preferred Credentials issues, refer to the 
Note 757425.1 : Troubleshooting Host Preferred Credentials.

=======================================================================

Best Practices (Certification, Maintenance Activities, OCM, Healthcheck, CPU & PSU)

EM Certification Checker

It is strongly recommended that you always use a certified combination of OMS, Agent and Repository Database for managing Targets which are certified with this combination. The Enterprise Manager Certification details are available in:

        
Note 412431.1: Oracle Enterprise Manager 10g Grid Control Certification

Maintenance Activities

  • Implement the security Best Practices mentioned in Enterprise Manager Grid Control 10g Release 5 Security Deployment - Best Practices document.
  • Take valid backups of the Agent, OMS and Repository Database Homes at regular intervals, to restore back any configuration files that are deleted by accident.
  • Before installing any new Grid Control components or re-locating them to other machines, ensure that the communication between these machines are fine. Refer to the Note 763844.1: How to Verify the Hostname/IP Address Resolution Between the 10g Enterprise Manager Grid Control Components?
  • Never delete any files under <AGENT_HOME>/sysman/emd in order to fix problems, this will create more problems.
  • Execute EMDiagKit at regular intervals (once per week or more frequently, depending on your setup) and check for any new problems that are reported.
  • Always download and use the latest RDA to ensure that latest features are used.
  • Always download and use the latest EMDiagkit. The tests and options are regularly modified and improved by the Development to ensure that the latest bugs / issues identified are discovered by the Diagkit.




OCM

Oracle Configuration Manager (OCM) works with My Oracle Support to enable proactive support capability that helps you organize, collect and manage your Oracle configurations by providing Proactive configuration-specific notification of Security and General Alerts, HealthCheck recommendations based on Support Best practices when using configuration auto-collection, Simplified Service Request logging, tracking and reporting and Project cataloging of key milestones and contacts associated with your configurations.

  • The lists of all available OCM collections for the Oracle Products are available here:

Oracle Configuration Manager Collections

  • Among these the following topics are related to the Enterprise Manager:
    • 2.52 Oracle Enterprise Manager 10g Grid Control Management Agent
    • 2.54 Oracle Enterprise Manager 10g Grid Control Management Service
    • 2.53 Oracle Enterprise Manager 10g Grid Control Management Repository
    • 2.72 Oracle Grid Control Repository (for oracle_emrep target)
    • 2.38 Oracle Agent Deployment Configuration (oracle_emd target)
    • 2.73 Oracle Home
    • 2.23 Host

Note: The above list is expected to be expanded as and when new collections are introduced in future.

  • It is also advisable to review the collections available for the Database instance, so that the Database hosting the repository can be monitored as well:
    • 2.10 Database Instance
    • 2.78 Oracle Listener

Healthcheck

Healthchecks are executed dynamically against the Oracle Configuration Manager uploaded configurations in My Oracle Support. These checks, based on Oracle Best practices, will proactively notify you of potential problems in your environment, and provide recommendations that help you improve system performance and avoid problems in your Oracle environment.

  • If you are receiving any Healthcheck alerts in My Oracle support, then refer to the following document for the alert details and its corresponding document for resolving the same:

Note 868955.1: My Oracle Support Health Checks Catalog

  • For Healthchecks specific to the Enterprise Manager and Repository Database, refer to the sections titled:

Enterprise Manager (for the OMS)
Oracle Database (for the Database hosting the Repository)




CPU and PSU

  • CPU

Critical Patch Updates (CPU) is the primary means of releasing security fixes for Oracle products. They are released on the Tuesday closest to the 15th day of January, April, July and October. This page lists all the currently available Critical Patch Updates (CPUs) in chronological order and is updated whenever new Critical Patch is released. You can also subscribe to the CPU Email Alerts using the steps listed here
To obtain the latest CPU patch details for the Enterprise Manager Grid Control and its dependent products - Oracle Application Server and Oracle Database:
- In the
 page, click on the link shown for the latest CPU in the table under the 'Critical Patch Updates'
- The next page, lists all the products which have security fixes in the chosen CPU release.
Scroll down to 'Patch Availability Table ..' topic and find the table with details for the Product Group and Patch Availability and Installation Information.
- In the table, find the row related to Product Group: 'Oracle Enterprise Manager' and pick up the document number given in the Patch Availability and Installation Information column. In the document, navigate to:

"Critical Patch Update Availability for Oracle Products" and then to
"Oracle Enterprise Manager Grid Control"

  • PSU

Patch Set Updates (PSU) are proactive cumulative patches containing recommended bug fixes that are released on a regular and predictable schedule. PSUs are on the same quarterly schedule as the Critical Patch Updates (CPU), specifically the Tuesday closest to the 15th of January, April, July, and October. The PSUs serve as a new baseline version for reporting issues to Oracle, hence it is always recommended to be on the latest PSU release.

·         For more details on PSU, refer Note 854428.1: Patch Set Updates for Oracle Products.

·         For Enterprise Manager specific PSU, refer Note 822485.1: Oracle Recommended Patches -- Oracle Enterprise Manager

  • Choosing between CPU / PSU patches

The PSU and CPU released each quarter contain the same security content. However, the patches employ different patching mechanisms, so customers need to choose wisely which patch satisfies their needs better:

·         A PSU can be applied on the CPU released at the same time or on an any earlier CPU for the base release version. A PSU can be applied on any earlier PSU or the base release version. CPUs are only created on the base release version.

·         Once a PSU has been installed, the recommended way to get future security content is to apply subsequent PSUs. Reverting from PSU back to CPU, while possible, would require significant effort, and so is not advised.

  • Getting CPU / PSU patch recommendations via OCM

OCM also collects and recommends the latest CPU and PSU patch that can be applied to a particular Oracle Home. These details can be seen in the My Oracle Support ->Patches and Updates -> Patch Recommendations section

- 'Security' patch recommendations include the CPU patches.
- 'Other Recommendations' include the PSU patches. 

References

NOTE:1081865.1 - Master Note for 10g Grid Control OMS Process Control (Start, Stop and Status) & Configuration
NOTE:1082009.1 - Master Note for 10g Grid Control Agent Process Control (Start, Stop & Status) & Configuration
NOTE:1086343.1 - Master Note for 10g Grid Control Enterprise Manager Communication and Upload issues
NOTE:1087997.1 - Master Note for 10g Enterprise Manager Grid Control Agent Performance & Core Dump issues
NOTE:1098262.1 - Master Note for Diagnostic Tools for 10g Enterprise Manager Grid Control Components
NOTE:1161003.1 - Master Note for 10g Grid Control OMS Performance Issues

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

News and Troubleshooting tips for Oracle Database and Enterprise Manager

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today