Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Enterprise Manager Security: A Practitioners Guide

4,524 views

Published on

East Coast Oracle Users Group 2015 - Oracle Enterprise Manager 12c security framework can be quite overwhelming for the EM administrator. It's often hard to understand how the components interact and how to best leverage them for your organization. Learn how to take advantage of Enterprise Manager roles, groups and named credentials to properly grant permissions and privileges to users. Utilizing EM privileges, we'll show how you can safely grant access to application teams and developers, without the worry of changes being made.

Published in: Software
  • Be the first to comment

Oracle Enterprise Manager Security: A Practitioners Guide

  1. 1. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Enterprise Manager Security A Practitioners Guide Courtney Llamas Consulting Member of Technical Staff Enterprise Manager - Strategic Customer Program September 22, 2015 Oracle Confidential – Internal/Restricted/Highly Restricted
  2. 2. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Oracle Confidential – Internal/Restricted/Highly Restricted 3
  3. 3. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Total Cloud Control Optimized, EfficientAgile, Automated | | Expanded Cloud Stack Management Scalable, Secure Superior Enterprise-Grade Management Complete Cloud Lifecycle Management
  4. 4. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Increase in Functionality Results in Increased Demand • Now a full data center tool – Monitors and manages entire stack – Configuration and compliance management – Data Center automation – Cloud – Alerts – Reporting • Increase in target types supported – Fusion Middleware, E-Business Suite, Java Diagnostics, Siebel, SQL Server, MySQL, DB2
  5. 5. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Top 5 Questions About Access and Security • Our DBA team has EM, but the FMW team wants to add their targets, how can I do this without them interfering with our work? • My developers want to see the database performance, how can I allow them without fear of them breaking something? • Security policies won’t allow us to share the oracle account/password, but we need it for certain tasks, how can we work around this? • Can we integrate our users with our corporate LDAP system? • How can we share a job with a group of users so we can all edit the job? Oracle Confidential – Internal/Restricted/Highly Restricted 6 1 2 3 4 5
  6. 6. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 1: Organize Targets by Support Team • Our DBA team has EM, but the FMW team wants to add their targets, how can I do this without them interfering with our work? Different teams support the databases, FMW, E-business targets. They work together often as their targets are associated and need to view other targets. Requirement • Create groups and/or systems • Set target properties • Create function based roles Solution – Organize Targets by Support Team Oracle Confidential – Internal/Restricted/Highly Restricted 7
  7. 7. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Organize Targets by Support Team • Different groups of users have different access requirements • Define what these groups look like and organize targets in groups or systems – Groups allow you to manage many targets as one based on common attributes (access, monitoring, notifications, etc.) – Services/Systems • Use Target Properties for defining group membership and automation • Create Roles with appropriate Privileges on the groups Oracle Confidential – Internal/Restricted/Highly Restricted 8
  8. 8. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Organize Targets Oracle Confidential – Internal/Restricted/Highly Restricted 9 •Manually add targets •Nest to form a hierarchy •Targets may reside in multiple •No automation •Privileges can be propagated to member targets •Define membership by target properties •Targets may reside in multiple •Automate membership •Privileges can be propagated to member targets •Defined as a hierarchy based on target properties •Multiple levels and layers •Targets only reside in one leaf node •Automated membership •Automated template apply •Privileges are propagated to member targets •Aggregate target that contains related components •Availability determined by key member target availability •Can be privilege propagating Basic Groups Dynamic Groups Administration Groups Systems
  9. 9. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Also can be used as filters in Incident Rules and Notification Methods, Reports • LifeCycle Status helps prioritize OMS workload in back logged system/agents • User Defined Target Properties Target Properties
  10. 10. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Creating Roles for Various User Access • Grant Target Privileges on groups of targets to restrict access in multi- organization environments • Use the Connect Target Read-Only for non-privileged access • Best Practices for Security: – Grant roles to users not direct privileges – Least privileged method preferred – User Super Admin sparingly – Utilize the Out-of-Box Roles for examples Owner •can do anything on target Admin •operate and make changes to the target (running jobs, diag & tuning, etc.) Operator •triage faults, and checks things (no changes) •typically for notifications and follow-up Guest •Read-only access
  11. 11. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Privileges Applicable to all Targets – Applies to all – Limit use • Target Privileges – Add Targets (Group, System, etc) – Manage Target Privilege Grants to assign permissions Oracle Confidential – Internal/Restricted/Highly Restricted 12 Target Privileges If you have granted ANY permissions, you likely have not thought out your requirements enough
  12. 12. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Resource Privileges Common Grants • Access • Dashboards • Enterprise Rule Set * • Metric Extension * • Named Credential • Job System • Report • Target Discovery Framework * • Template * • Template Collection * Database Specific • Backup Configuration • Backup Status Report • Database Replay Middleware Specific • Fusion Middleware Offline Diagnostic • JVM Diagnostic LifeCycle Management • Compliance Framework • Configuration Extensions • Deployment Procedures • Patch Plan • Patching Setup • Software Library Entity Oracle Confidential – Internal/Restricted/Highly Restricted 13
  13. 13. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Sample Privilege Breakdown Guest • Connect Target Read-Only • View (on Group) • Named Credential Operator • Operator on Group • Named Credential • Job System Admin • Full on Group • Named Credential • Report • Job System Owner • Full on Group • Configuration Extensions • Enterprise Rule Set • Metric Extensions • Target Discovery Framework • Template • Template Collection EM Admins • EM Plug-in • Enterprise Manager High Availability • OMS Configuration Property • Proxy Settings • Self Update • Software Library Administration • Software Library Entity • System Oracle Confidential – Internal/Restricted/Highly Restricted 14
  14. 14. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Putting it all together – DBA Example • Create dynamic groups • Set target properties to join group • Create “DBA_Admin” role – Select Add under Target Privileges and select DBA, WLS and EBIZ groups – Modify DBAGroup to add Group Administration privilege – WLS/EBIZ groups remain view access Oracle Confidential – Internal/Restricted/Highly Restricted 15
  15. 15. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Console – Edit User or Edit Role • EM CLI $emcli grant_roles - name=“JOE" - roles=“DBA_ADMIN;BLACKOU T_ADMIN” Oracle Confidential – Internal/Restricted/Highly Restricted 16 Ways to Grant Roles
  16. 16. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Granting Users Permission to Manage Roles • Managed by Super Administrator or user with Manage System Roles privilege $emcli grant_roles(name=“BOB”, role=“my_cred_role:WITH_ADMIN_OPTION”) New in 12cR4
  17. 17. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 2: Application Access to Database • My developers want to see the database performance, how can I allow them without fear of them breaking something? They can’t make changes to production databases either Requirement • Connect Target Read Only • Named Credential Solution – Read-only Accounts Oracle Confidential – Internal/Restricted/Highly Restricted 18
  18. 18. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Application Access to Database • An EM account does not authorize any database or application activity – Target login will be required • Databases rely on DB authentication (i.e. scott/tiger, sys as sysdba) • Hosts require OS authentication to view files, run jobs • Named Credentials allow you to store the combination of user/pwd – Can be changed frequently – Can be granted to other users • Create a role for developer access to connect/view required targets only – Connect read-only
  19. 19. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Database Permissions - Performance Views • create session • select any dictionary View Performance pages, charts and explain plans • execute on dbms_workload_repository Run AWR reports • create job • oem_advisorSQL Access Advisor • Cannot be used in read-only mode • execute on dbms_workload_repository • administer sql tuning set SQL Tuning Advisor For more on database permissions see the Database Security Guide
  20. 20. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Store a username/password combination • Referenced not stored • One update required for changes • Share access with others – View (use) – Edit (update) – Full (delete) • Allows for SSH credentials Named Credentials
  21. 21. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Basic Target Access Requirements • View Target – Ability to view target status, basics from home page • Created Named Credential – Save/Access a username/password combination • Connect – Ability to enter a target username/password • Connect Read-Only – Limits connection to a read-only mode – Connect mode supersedes connect read-only
  22. 22. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Connect Target Read-Only • When unauthorized users attempts changes Oracle Confidential – Internal/Restricted/Highly Restricted 23
  23. 23. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 3: Sharing Oracle account pwd • Security policies won’t allow us to share the oracle account/password, but we need it for certain tasks, how can we work around this? Requirement • Preferred Credentials • Named Credential Solution Oracle Confidential – Internal/Restricted/Highly Restricted 24
  24. 24. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Sharing Account with Named Credentials • Security manager or admin can create a named credential with the oracle account/password, then grant DBAs access to use the credential. • Password is not known, only allowed access via EM which can be audited • Named credential can be stored as user’s preferred credential for login with out prompting • Passwords can be changed easily and frequently using EM CLI $ emcli modify_named_credential -cred_name=GLB_ORA_OS -attributes="HostUserName:oracle;HostPassword:" Oracle Confidential – Internal/Restricted/Highly Restricted 25
  25. 25. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Preferred Credentials • Stored Credentials per target type • Utilizes Named Credentials
  26. 26. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Target Preferred Credentials • Use for one-off situations • Overrides default target type credentials
  27. 27. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Default Target Type Preferred Credentials • Multiple credentials per target type • Overrides Global Target/Target Type credentials
  28. 28. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Applies to all users with minimum privilege (OPERATOR) level – Can change minimum using update_credential_set verb • Can speed up user on-boarding • Use privileged accounts with caution • Target level overrides target type Global Preferred Credentials New in 12cR4
  29. 29. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Using EM CLI to Update Passwords and Set Credentials • Change the database user password in both the target database and Enterprise Manager. $emcli update_db_password -change_at_target=Yes|No -change_all_reference=Yes|No • Update a password which has already been changed at the host target. $emcli update_host_password -change_all_reference=Yes|No • Set preferred credentials for given users. $emcli set_preferred_credential -set_name="set_name" -target_name="target_name" -target_type="ttype" -credential_name="cred_name“ -for_user=“user” [- credential_owner ="owner”] Oracle Confidential – Internal/Restricted/Highly Restricted 30
  30. 30. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Requirement 4: Integrate with Corporate LDAP • Can we integrate our users with our corporate LDAP system? Security Team wants to ensure password policies are enforced and follow corporate standards. Requirement • LDAP Integration • External Roles • EM CLI commands Solutions to implement Oracle Confidential – Internal/Restricted/Highly Restricted 31
  31. 31. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Available Authentication Methods • Based on WLS supported methods – Repository based (default) – Oracle Access Manager with SSO – Enterprise User Security – LDAP (OID, Active Directory, etc.) • Benefits to using an advanced method – Reduces user administration effort in EM – Password expiration controlled centrally – User creation/deletion can be automated – External roles can map to authentication groups Oracle Confidential – Internal/Restricted/Highly Restricted 32
  32. 32. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Connect with Active Directory • Preferred method: emctl config auth ad emctl config auth ad -ldap_host "ldaphost" -ldap_port "3060" -ldap_principal "cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn "cn=groups,dc=us,dc=oracle,dc=com" -ldap_credential "ldap_password" [- sysman_pwd "sysman_password"] • Alternate method: WLS Console – Add authentication provider and set OMS properties emctl set property –name “oracle.sysman.core.security.auth.is_external_authentication_enabled” –value “true” emctl set property –name “oracle.sysman.emSDK.sec.DirectoryAuthenticationType” –value “LDAP” • Full OMS stop/start required Oracle Confidential – Internal/Restricted/Highly Restricted 33 Enterprise Manager Cloud Control 12c: Configuring External User Authentication Using Microsoft Active Directory
  33. 33. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Create Users • Users must be created as “external” – Console or EM CLI emcli create_user -name="new_admin“ -type="EXTERNAL_USER" -roles="public" • Existing users can be modified emcli modify_user -name="name" -type="external_user" • Map attributes to LDAP emctl set property –name "oracle.sysman.core.security.auth.ldapuserattributes_emuserattributes_mappings" –value "USERNAME={%uid%},EMAIL={%mail%},CONTACT={%telephone%}, DEPARTMENT={%department%},DESCRIPTION={%description%},LOCATION={%postalcode%}" Oracle Confidential – Internal/Restricted/Highly Restricted 34
  34. 34. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Automating User Creation • Auto Provisioning allows LDAP users to be created upon first login emctl set property –name “oracle.sysman.core.security.auth.autoprovisioning” -value ”true” • Minimum Role restricts this to members of a certain group emctl set property –name “oracle.sysman.core.security.auth.autoprovisioning_minimum_role” –value “EM_ADMIN” • Username mapping (to External Numeric ID) provides the security while enhancing user experience and auditing emctl set property –name “oracle.sysman.core.security.auth.enable_username_mapping” –value “true” Oracle Confidential – Internal/Restricted/Highly Restricted 35
  35. 35. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | External Roles • Automate privilege grants by mapping Roles to LDAP Groups – LDAP Group of EM users = EM_ADMINS, external role named EM_ADMINS • Users will automatically get the permissions of that role Oracle Confidential – Internal/Restricted/Highly Restricted 36
  36. 36. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Requirement 5: Jobs Must be Shared by Teams • How can we share a job with a group of users so we can all edit the job? All members of the DBA team must be able to edit, stop, run the backup jobs. Requirement • Private Roles Solution Oracle Confidential – Internal/Restricted/Highly Restricted 37
  37. 37. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Jobs Must be Shared By Teams • To prevent unauthorized access, roles could not have full privs on jobs – 12c4r introduced Private Roles • Allowing shared jobs is now possible by – Create a Private Role that has Full access to job – Grant Private Role to the users Oracle Confidential – Internal/Restricted/Highly Restricted 38
  38. 38. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | • Created by Super Administrator or user with Create Role privilege • Can be granted WITH_ADMIN option • Grant privileged permissions – LAUNCH_DP – FULL_DP – GET_CREDENTIAL – EDIT_CREDENTIAL – FULL_CREDENTIAL – FULL_JOB Private Roles New in 12cR4
  39. 39. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Creating a Private Role • As a Super Admin or user with Create Role – Create a role and mark it Private • Object Owner must make grant
  40. 40. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Grant Job Resource Privileges
  41. 41. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Add Jobs to Role
  42. 42. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Select Resources (Jobs) to Add to Role
  43. 43. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Grant Privilege Level
  44. 44. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Resource Ownership • As SYSMAN, only able to grant FULL to jobs owned by SYSMAN • Manage Job is highest privilege that can be granted on Jobs owned by other users
  45. 45. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Option 2: Add Role on Access Tab of Specific Job
  46. 46. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Option 3: EMCLI • A Private Role can be granted to an administrator with WITH_ADMIN option as follows emcli>create_role(name=“my_cred_role”,private_role=True) emcli>grant_privs(name=“my_cred_role”, privilege="GET_CREDENTIAL;CRED_NAME=SSHCRED") emcli>grant_roles(name=“BOB”, role=“my_cred_role”) emcli>grant_roles(name=“JOHN”, role=“my_cred_role:WITH_ADMIN”) • BOB cannot share this credential with other users • JOHN can now share this credential with other users, has been granted WITH_ADMIN
  47. 47. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Summary • Many more features and functions that allow you to secure and share your Cloud Control environment – Auditing – Privilege Delegation (pbrun, sudo, etc) • First step is to define the different requirements – Who needs access – What do they need access to do • Always start with least possible privileges and build up • Use the out-of-box roles as guidance Oracle Confidential – Internal/Restricted/Highly Restricted 48
  48. 48. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Resources • OTN Enterprise Manager – OOW14 Content http://www.oracle.com/technetwork/oem/pdf/em-oow2014-2339393.html • Blogs: http://blogs.oracle.com/oem http://courtneyllamas.com • Twitter @oracle_EM @courtneyllamas
  49. 49. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | ECO Sessions Speaker Time Room Session Courtney TUE, SEP 22 11:15 am Grand Ballroom 2 Oracle Enterprise Manager Security: A Practitioners Guide Werner TUE, SEP 22 1:45 pm Grand Ballroom 1 Database Management 101 - How to Get the Most Out of EM to Monitor and Administer Your Databases Kellyn TUE, SEP 22 1:45 pm Grand Ballroom 2 DBA Database 12c New AWR, ASH and ADDM Features Using EM12c and Beyond Mike WED, SEP 23 4:00 pm Capital C Exadata Performance Troubleshooting Methodology Oracle Confidential – Internal/Restricted/Highly Restricted 50
  50. 50. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 51

×