Securing Grid Control
Copyright © 2006, Oracle. All rights reserved.
Objectives
After completing this lesson, you should be able to:
• Describe the security options available for Oracle
Management Service and Oracle Management Agent
• Configure Grid Control for use with proxy servers and
through firewalls
• Authenticate Grid Control administrators using Single
Sign-On
• Configure Grid Control for use with Enterprise User
Security
5-2
Copyright © 2006, Oracle. All rights reserved.
Grid Control Security
Grid Control security has two primary goals:
• Ensuring secure transfer of data between Grid Control
components
• Denying unauthorized users access to Grid Control
monitoring data and administrative controls
5-3
Copyright © 2006, Oracle. All rights reserved.
Securing Grid Control
Enterprise Manager Framework Security provides safe and
secure communication between the Grid Control
components through:
• Working with security features of Oracle HTTP Server
• Implementing HTTPS and Public Key Infrastructure
(PKI) components for communications between Oracle
Management Service (OMS) and Oracle Management
Agents
• Using Oracle Advanced Security for communications
between OMS and the Management Repository
5-4
Copyright © 2006, Oracle. All rights reserved.
Grid Control Security Framework
Grid Control Security Framework provides secure
(encrypted) communication between Grid Control
components:
• Agent <-> OMS
• OMS <-> Repository
OC4J
EM
Web OHS
Cache
Encrypted
channel
5-5
OMS
Encrypted
channel
Copyright © 2006, Oracle. All rights reserved.
Verify that Oracle Management Agents Are Secure
5-6
Copyright © 2006, Oracle. All rights reserved.
Managing Agent Registration Passwords
Use Grid Control to:
• Change agent registration passwords
• Create or remove additional registration passwords
5-7
Copyright © 2006, Oracle. All rights reserved.
Refusing Nonsecure Uploads
Configure OMS to refuse unencrypted uploads.
1. Stop all OMS services.
2. Configure OMS to refuse uploads via HTTP.
3. Start all OMS services.
$ emctl secure lock
5-8
Copyright © 2006, Oracle. All rights reserved.
Securing OMS–Repository Communication
To secure communication between the OMS and
repository, enable the Oracle Advanced Security Option
(ASO) for:
1. Repository
2. OMS
3. Agent monitoring the repository database
5 - 10
Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for the Repository
Modify ORACLE_HOME/network/admin/sqlnet.ora to
request encryption:
• SQLNET.ENCRYPTION_SERVER
• SQLNET.CRYPTO_SEED
SQLNET.ENCRYPTION_SERVER=REQUESTED
SQLNET.CRYPTO_SEED="abcdefg123456789"
OMR
5 - 11
Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for Each OMS
ASO for the OMS is configured through entries in
OMS_HOME/sysman/config/emoms.properties.
oracle.sysman.emRep.dbConn.enableEncryption=TRUE
oracle.net.encryption_types_client=(DES40C)
oracle.net.encryption_client=REQUESTED
Stop and restart the OMS to implement the new
parameters.
5 - 12
Copyright © 2006, Oracle. All rights reserved.
Enabling ASO for the Agent
Create AGENT_HOME/network/admin/sqlnet.ora as a
text file with the following entry:
• SQLNET.CRYPTO_SEED
SQLNET.CRYPTO_SEED="abcdefg123456789"
5 - 13
Copyright © 2006, Oracle. All rights reserved.
Securing Application Server Control
Stand-alone Application Server Control console may also
be configured for secure operation:
• Stop the stand-alone console:
– emctl stop iasconsole
• Secure the stand-alone console:
– emctl secure em
• Start the stand-alone console:
– emctl start iasconsole
5 - 14
Copyright © 2006, Oracle. All rights reserved.
Enabling Enterprise Manager Security Framework
To enable Enterprise Manager Security Framework, the
components must be configured in a specific order:
1. Secure the OMS (done by default in Grid Control R2).
2. For each Oracle Management Agent, stop it, secure it,
and restart it:
emctl stop agent
emctl secure agent
emctl start agent
3. When all agents are secure, lock the OMS:
emctl secure lock
5 - 15
Copyright © 2006, Oracle. All rights reserved.
Configuring Enterprise Manager for Firewalls
Before configuring your firewall, consider the following:
• It should be the last phase of the Enterprise Manager
deployment.
• For existing firewalls, open default Enterprise Manager
communication ports until the installation and
configuration processes are complete.
• If enabling Enterprise Manager Framework Security, do
not secure the agents until you confirm that HTTP and
HTTPS traffic between the agent and Management
Repository works.
• After confirming that the OMS and Oracle Management
Agents can communicate, complete the transition into
secure mode and change firewall configuration as
necessary.
5 - 16
Copyright © 2006, Oracle. All rights reserved.
Firewall Configuration for Grid Control
Components
• Firewalls between the browser and the Grid Control
console
• Oracle Management Agent protected by a firewall
• Management Service protected by a firewall
• Firewalls between the Management Service and the
Management Repository
• Firewalls between Grid Control and a managed
database target
• Firewalls used with multiple Management Services
• Firewalls to allow ICMP and UDP traffic for beacons
• Firewalls when managing Oracle Application Server
5 - 17
Copyright © 2006, Oracle. All rights reserved.
Configuring the Agent for Proxy Communication
To configure the agent so that it communicates via a proxy
server, perform the following steps:
1. Stop the Oracle Management Agent.
2. Add proxy information to
AGENT_HOME/sysman/config/emd.properties:
– REPOSITORY_PROXYHOST
– REPOSITORY_PROXYPORT
3. Start the Oracle Management Agent.
Proxy server
5 - 19
Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for Proxy Communication
To configure the OMS so that it communicates via a proxy
server, perform the following steps:
1. Stop the OMS.
2. Add proxy information to
OMS_HOME/sysman/config/emoms.properties.
3. Start the OMS.
OC4J
EM
Proxy server
5 - 20
Copyright © 2006, Oracle. All rights reserved.
Web OHS
Cache
OMS
Authenticating Grid Control Administrators
Grid Control administrators are:
• Authenticated as repository database users
• Created and managed through the Grid Control console
If desired, administrators may be created, managed, and
authenticated via Oracle Single Sign-On.
5 - 21
Copyright © 2006, Oracle. All rights reserved.
Oracle Single Sign-On
• Single Sign-On (SSO) is a component of Oracle
Application Server that enables users to log in to Web
applications by using a single username and password.
• Configuring Grid Control to use Single Sign-On is a
two-step process:
1. Configure the OMS to use SSO.
2. Add Grid Control users.
5 - 22
Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for SSO
To configure the OMS to use SSO, perform the following
steps:
1. Stop the OMS.
2. Reconfigure the OMS to use SSO.
3. Start the OMS.
emctl config sso
–host <SSO Server>
–port <SSO DB Listener Port>
–sid <SSO DB SID>
–pass <DB password for orasso>
–das <URL for OIDDAS server>
5 - 23
-
Copyright © 2006, Oracle. All rights reserved.
OC4J
EM
Web OHS
Cache
OMS
Enterprise User Security
• With Enterprise User Security, database users are
authenticated through a centralized directory.
• Instead of storing management credentials for each
target database, the OMS may be configured to use
Enterprise User Security.
Grid
Control
Oracle Internet
Directory
5 - 24
Copyright © 2006, Oracle. All rights reserved.
Configuring the OMS for
Enterprise User Security
To configure an OMS for use with Enterprise User Security,
perform the following steps:
1. Stop all OMS services.
2. Edit emoms.properties to enable Enterprise User
Security.
3. Start OMS services.
OC4J
EM
Web OHS
Cache
5 - 25
Copyright © 2006, Oracle. All rights reserved.
OMS
Summary
In this lesson, you should have learned how to:
• Describe the security options available for Oracle
Management Service and Oracle Management Agent
• Configure Grid Control for use with proxy servers and
through firewalls
• Authenticate Grid Control administrators using Single
Sign-On
• Configure Grid Control for use with Enterprise User
Security
5 - 26
Copyright © 2006, Oracle. All rights reserved.