Oracle Enterprise Manager 12c

(1)

Oracle Enterprise Manager 12c

CON8243 - Enterprise Manager 12c Security Cookbook:

Best Practices for Large Datacenters

Maureen Byrne

Product Management, Oracle Marleen Gebraad,

Rabobank

Nagaraj Krishnappa

(2)

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

(3)

Agenda

1 2 3 4 5

Security Framework Overview

Common Enterprise Manager Security Concerns:

Authentication

Credential Management

Authorization

Resources

RaboBank

6 7

(4)

Enterprise Manager : Security Overview

Oracle Enterprise Manager Security Framework Components

(5)

Enterprise Manager Authentication Target Authentication

Enterprise Manager Authorization Secure Communication

Cryptographic Key

Enterprise Manager Auditing

Backup/Recovery Jobs SQL Script Jobs

Monitoring Templates

Privilege Delegation Templates Agents Information Reports Root Cause Analysis

Enterprise Manager : Security Framework Overview

Solaris Linux Windows

Database Application Server _Applications Enterprise Manager Cloud Control Oracle Management Service Oracle Management Repository Agent Agent Agent Administrators Enterprise Manager Authentication Enterprise Manager Authorization Target Authentication Targets Enterprise Manager Command Line Interface

(6)

Enterprise Manager : Authentication

Authentication is the process of determining the validity of a user

(7)

Enterprise Manager : Authentication

Enterprise Manager

Authentication

• Repository Authentication

• External Authentication

– Achieved with WLS container authentication

– Support for:

• OAM Authentication

• LDAP Authentication

–e.g. MS Active Directory

• SSO Support

– Centralized user management

Target Authentication

• Target Credentials

– Named, Preferred, Monitoring

• Authentication Schemes

– Username and Password

– SSH credentials

• Host target types

– Kerberos Credentials

(8)

Enterprise Manager : WLS container authentication

External Authentication – delegated to Web Logic Server

• Authentication achieved with WebLogic Server container authentication

• WLS provides an extensive list of supported Security Providers

– EM provides out of box support (1 step configuration) for:

• AD, OID and OAM providers for username/password schema • Setting necessary properties in EM

• Setting necessary configuration parameters in WLS

• WLS also provides ability to create Custom Security Providers

(9)

Use one-step configuration for AD, OID and OAM to conveniently set up Enterprise Manager for external authentication using the command

“emctl config auth …”.

Our corporate authentication standard is Microsoft Active Directory. How can I configure Enterprise

(10)

Pre EM 12R2c

1. Login to WLS Admin Console

using WLS admin credentials

–Configure AD Authentication Provider

2. Login to EM Console

–Configure EM Authentication properties

EM 12R2c

Use one command to configure

both WLS and EM

$>emctl auth config ad …

10

(11)

Enterprise Manager : WLS Container Authentication

Microsoft Active Directory Authentication

username/password

Out of Box – Native support(one command) - creates EM_AD_Provider

- configures EM_AD_Provider in WLS - configures OMS properties in EM

AD Provider contains all the configuration information

- LDAP Host

- user forests/trees/branches - Administrators access

Example: One-step configuration to set up External Authentication for Enterprise Manager with Active Directory

emctl config auth ad -ldap_host “example.oracle.com" -ldap_port "389" -ldap_principal

"cn=Administrator,cn=Users,dc=ys,dc=oracle,dc=com" -ldap_credential “WelcomePwd" -user_base_dn

"cn=Users,dc=ys,dc=oracle,dc=com" -group_base_dn "cn=Builtin,dc=ys,dc=oracle,dc=com" -sysman_pwd “xyz123“

Oracle Management Service

Authentication Providers Repos AD OAM …

(12)

Enterprise Manager Authentication: One-step configuration

Native Support for external authentication Benefits

• Takes advantage of existing Corporate Authentication Standards

• Allows you to quickly configure Enterprise Manager for External User

Authentication

– Sets Enterprise Manager OMS properties

– Creates and Configures WebLogic Server Provider

• Reduces administration overhead and potential for configuration errors

(13)

You do not need to pre-create or re-enter user account information when using LDAP for external

authentication - enabling auto-provisioning and using external roles will auto-create user accounts.

I have external authentication enabled in Enterprise Manager with LDAP, do I have to recreate all my user accounts in Enterprise Manager?

(14)

Enterprise Manager Authentication: Auto-Provisioning

Automatic creation of user account upon first successful login

• External authentication is enabled with the following OMS property, and is automatically set during one-step configuration

oracle.sysman.core.security.auth.is_extern_authentication_enabled = true

• Auto-provisioning can be used with external LDAP authentication to auto-create user accounts upon first successful login

oracle.sysman.core.security.auth.autoprovisioning = true

• Auto-provisioning can be applied to all users or it can be restricted to a particular LDAP group

oracle.sysman.core.security.auth.autoprovisioning_minimum_role = <USER GROUP_NAME>

oracle.sysman.core.security.auth.autoprovisioning_minimum_role = EM_ADMINISTRATORS

(15)

• Defining a role, marking it as external, and mapping it to an LDAP group

of users, enables users defined in that LDAP group to be granted that

Enterprise Manger role upon login

– Where the <LDAP_group_name> = <EM external role name>

– Example in EM CLI:

emcli> create_role (name=“my_external_role" ,type="EXTERNAL_ROLE" ,desc=“My external role")

Enterprise Manager Authentication: Mapping User Groups

to External Roles

(16)

Enterprise Manager Authentication: getting the most out of

your LDAP integration

Auto-provisioning and External Roles Benefits

• Mapping LDAP user group to Enterprise Manger external role

– provides Enterprise Manager users with defined privileges on first login

– simplifies management of roles for external users

– If a user moves to another organization, and is moved to another LDAP group they will

automatically be granted the necessary Enterprise Manager privileges for that group.

• Used together, external authentication, auto-provisioning and external roles

reduce administrative overhead by auto-creating and granting necessary

privileges to user accounts, appropriate to their organization.

• Using username mapping (to External Numeric ID) provides the security

required by many security policy groups while simultaneously enhancing user

experience and Auditing.

– oracle.sysman.core.security.auth.enable_username_mapping = true

(17)

Enterprise Manager: Credential Management

Credentials enable an administrator to perform a privileged operation on a managed target.

(18)

Use Global Preferred Credentials – the best way to set Preferred Credentials for all users across many targets. How can we easily share and manage credentials with hundreds of users for several targets?

(19)

Enterprise Manager : Credential Management

• Enterprise Manager uses the concept of a Named Credential

– A Named Credential can contain a username/password, Kerberos token or SSH key

– A Named Credential is used to easily manage credentials

– A Named Credentials is encrypted using AES and stored in the repository

– A Named Credential is granted to individual users

• Credentials can be granted with the following privilege - View, Full or Edit

• A user can set a Named Credential as a Preferred Credential

(20)

Enterprise Manager : Global Preferred Credentials

Convenient way to set Preferred Credentials for many users across many targets

• A Global Preferred Credential is a shared preferred credential

• Previously each user had to know a valid credential and set up their own preferred credential

(21)

Enterprise Manager : Global Preferred Credentials

User Scoped Preferred Credentials

Global Scoped Preferred Credentials

Target Specific Preferred Credentials Target Type Preferred Credentials

Target Specific Preferred Credentials _Target_Type_{Preferred Credentials}

User A User A All Users All Users PC1 PC2 PC3 T1 T2 T3 T3 T2 T1 DPC T3 T2 T1 GPC1 GPC2 GPC3 GDPC Level 1 Level 2 Level 4 Level 3 T1 T2 T3 PC - Preferred Credential

DPC - Default preferred Credential GPC - Global Preferred Credential

(22)

Enterprise Manager : Global Preferred Credentials

Convenient way to set Preferred Credentials for many users across many targets

• Administrators need the following privileges to set Global Preferred

Credentials

– FULL_TARGET -to set target specific scope at the Global Preferences

– FULL_ANY_TARGET -to set target type scope at the Global Preferences level

• Administrators need the following privileges to use Global Preferred

Credentials

– OPERATOR_ TARGET -to use a Global Preferred Credential

– This privilege could be added to the PUBLIC role if you wanted to grant it to everyone

– Or you can choose to change the privilege needed to use a Global Preferred Credential with the EM CLI command - update_credential_set()

(23)

Enterprise Manager : Global Preferred Credentials

Use Global Preferred Credentials for many users across many targets

• Global Preferred Credential reduce administrative overhead

– They can be granted to all users

• For a target

• For a target type

• New targets can automatically be accessed by many users

• Global Preferred Credentials can be used to efficiently on board new administrators

– Enabling new users to automatically access many targets

• Users can always over ride with their user level Preferred Credential

(24)

Named Credentials can be shared between

administrators performing a specific task by assigning the Named Credential to a Private Role – then granting that role to your users.

How do I grant a Named Credential to a group of users who are performing a specific task requiring

(25)

Enterprise Manager : Private Roles

Introducing the ability to grant sensitive privileges to a role in a controlled manner

• Prior to 12.1.0.4 only Super Administrators could create and grant Roles

– Once created a role is available to any super administrator to further grant to any user

– Super Administrators could grant a role without permission from the owner nor knowledge of the owner

• This created security concerns for powerful privileges and resources

• Which is why named credentials could not be granted to roles

• Introducing Private Roles in 12.1.0.4 privileged administrators can create and grant roles

– Once created a Private Role is available only to administrators who have been specifically granted that role

– Only role owners or role grantees can grant the private role

• Alleviating security concerns as private roles are granted only to trusted administrators

• Introducing new Role terminology

– System Role

• a role created and granted by a Super Administrator

• A role created and granted by an administrator with manage_system_role privilege – Private Role

• a role created and granted by a Super Administrator

• A role created and granted by an administrator with create_role privilege

• Private roles can be granted with WITH_ADMIN option

System Role

(26)

Enterprise Manager : System Roles and Private Roles

System Roles Private Roles

What? _{Privilege A} Privilege B etc.

Cannot contain LAUNCH_DP Cannot contain FULL_JOB Cannot contain FULL_DP

Cannot contain GET_CREDENTIAL Cannot contain EDIT_CREDENTIAL Cannot contain FULL_CREDENTIAL

Created by whom? Super Administrator

Options? No options

Privilege A Privilege B etc. Can contain LAUNCH_DP Can contain FULL_JOB Can contain FULL_DP

Can contain GET_CREDENTIAL

Without ADMIN option

Administrator with create_role Can contain EDIT_CREDENTIAL Can contain FULL_CREDENTIAL

With WITH_ADMIN option Admin with manage_system_role

(27)

Enterprise Manager : Private Roles

Introducing the ability to grant sensitive privileges to a role in a controlled manner

• A Private Role can be granted to an administrator with WITH_ADMIN option as follows

emcli>create_role(name="private_role",private_role=True)

emcli>grant_privs(name="private_role", privilege="GET_CREDENTIAL;CRED_NAME=SSHCRED") emcli>grant_roles(name="BOB“ , role="private_role")

emcli>grant_roles(name=“JOHN", role="private_role:WITH_ADMIN”)

//BOB cannot share this credential with other users as he has not been granted the role “private_role” with the WITH_ADMIN option

//JOHN can now share this credential with other users as he has been granted the role “private_role” with the WITH_ADMIN option

(28)

Enterprise Manager : Private Roles

Private Role benefits

• Private roles work well in sharing credentials with administrators assigned

to a specific role

• Leveraging private roles improves job manageability

• allowing other administrators to take over job ownership if the job owner leaves

–Once the new job owner is granted FULL_JOB privilege on that job

• Leveraging private roles or manage_system_role reduces role

administration on the Super administrator

(29)

Enterprise Manager : Authorization

Authorization is the action of

determining who has access where, to do what.

(30)

Enterprise Manager : Authorization

• Authorization

Authorization determines who has access where, and to do what.

• Defined by..

– Privileges

• Target

– e.g. View, Operator, Full

• Resource

– e.g. Jobs, Deployment

Procedure, Compliance

– Roles

• Made up of privileges

• Defined in Enterprise Manager

• Can be mapped to LDAP groups(external role)

• Granted to..

(31)

Use privilege propagating groups, aggregate target level privileges and Connect Target Read Only privilege to

restrict developer access to production databases. How do I restrict developers to read-only access to production target databases?

(32)

Enterprise Manager : Authorization

Example: Granting developers view access to database

Application Developers

Connect Target Read Only

DBAGroup

Use case: How to provide application

developers read-only access to database performance pages in Enterprise Manager in order for them to get firsthand

information on the impact of their

applications on the underlying database.

Steps: Define your role to include the

connect target read only privilege on the

DBAGroup privilege propagating group, then grant to your application developers. Create a Named Credential to enable developers to see the DB performance pages in Enterprise Manager and grant the Named Credential.

(33)

Enterprise Manager : Enhancement to groups, systems and

other aggregate target types

Ability to grant different privileges to a group and the group members

Use Case :

The ability to grant VIEW privilege on the aggregate (i.e. group of DB instances) and FULL on the members (i.e. DB instances). The DBA has VIEW privilege on the group, preventing him from deleting the group

The DBA has FULL privilege on members of the group, allowing him to perform full life cycle tasks, including delete the target

Group privilege Member privilege

Aggregate Target Type –

A group of targets or

a target made up of many components.

e.g. group of DB instances or RAC

(34)

Enterprise Manager : Authorization

Roles, aggregate target types and privilege propagating groups

• Leveraging privilege propagating groups with Aggregate target level privileges enhances target group management

– By granting FULL on a target member and VIEW on the group (aggregate) the administrator is prevented from accidently deleting the group (aggregate)

(35)

Marleen Gebraad and Nagaraj Krishnappa

EM12c Security Best Practices

Roles, Privileges, Auto-login, Users auto provisioning, Dynamic

Groups, Named credentials implementation at Rabobank

(36)

Agenda

• Introducing Rabobank

• Oracle ECO department and EMaaS

• EM12c Security Model – Users and Smart Card Access

• EM12c Security Model – Roles and Dynamic groups

• EM12c Security Model – Dynamic groups and Privileges

• EM12c Security Model – Named Credentials and Jobs

• Q & A

(37)

Introducing Rabobank

• Established in 1898

• International financial services provider on a cooperative organisation principle

− Retail banking, wholesale banking, asset management, leasing and real estate − Operating in 40 countries

− 10 million customers around the world − 55,100 FTEs

• Retail banking in the Netherlands

− 7.5 million customers

− 123 independent local banks in the Netherlands − 591 offices inside the Netherlands

− 25,200 FTEs

• Rabobank is 5th_{in the world’s safest commercial banks and still the safest bank in Europe, compiled by American}

(38)

• Oracle ECO team

From one central department responsible for the complete Oracle stack to a decentralized organization with a smaller set of

responsibilities

• Previously EM11g only used by Oracle ECO team (50+ users), however

the current EM12c will be published as a service to Rabobank Nederland (1000+ users).

• For EMaaS, more focus on increasing levels of Integrity and

Confidentiality

• Role based access model, Strong authentication, fine grained

privilege access, every action must be performed via individual

accounts, efficient user and role management, audit user actions etc – security principles for web based applications in Rabobank

Oracle ECO team and EMaaS

(39)

• Rabo Web Authentication (RWA) which is a custom LDAP integrated with

OID 11.1.0.7

• Users are Single Sign-on (SSO) authentication type and exist in

RWA(authentication) and Oracle Internet Directory (authorization)

• Auto-provisioning parameters used

oracle.sysman.core.security.auth.enable_username_mapping oracle.sysman.core.security.auth.autoprovisioning

oracle.sysman.core.security.auth.is_external_authentication_enabled oracle.sysman.emSDK.sec.DirectoryAuthenticationType

oracle.sysman.core.security.auth.autoprovisioning_minimum_role

• Rabobank Smartcard access to EM12c making this as ‘strong

authentication’

• RWA identity Assertor (custom identity assertor) and AdminOID

configured as Weblogic security providers

• Weblogic global role associated with OID groups so that RWA smartcard

access for Admin Server console

(40)

Users and Smart Card Access

Workstation (Smartcard) Weblogic 1. RWA cookie

RWA Identity Asserter

RWA client 2 . Chec k cookie 3. R_esult 4. Identity rabobankID OID authentication provider 5. Get pr ivs Oracle Internet Directory (OID) 6. Gr oup

Enterprise Manager 12c 7. Identity & Groups

9. Ma tc h Gr oup EM12c Repository 10. Rol es 11. Show application

(41)

• Each role is based on teams within the Rabobank

ICT organization (picture depicts Oracle ECO Team for example)

• Team based roles exist as groups in OID and

appear as ‘external’ roles in EM12c

• Each team based role are associated with

functions (SEC=security operations, LJD=library job designer etc)

• Each function based role has a ‘management’ and

‘end-user’ sub-function role (e.g.: create a job & view/execute a job)

• Technical EM role EMAAS_MG_EM (yellow block

in the global roles depicted in the picture) has some higher functions due to the responsibility of managing EM and all its targets

(42)

• Target privileges are assigned to privilege propagating

dynamic groups

• In this example diagram, the dynamic groups are shown in

the Y Axis, and the teams where users belong to0 are depicted in the X axis

• Dummy Service teams created in order to cover different

scenarios. For e.g., A database belongs to TT DB team,

however if a database is an EM repository, then it should also belong to ST EM team

• For special roles like ‘Employee of the day( MVdD)’ and

‘Standby(STBY)’, we have created ‘operator any target’ privilege

• For any reason, if a user has to become super-admin, he/she

can access a time-based role providing application (custom built) called ‘SUPERU’.

(43)

• Named credentials are used in Rabobank to access the critical system accounts (oracle/root/SYS etc)

• In the future, we would like to integrate this to a password management digital vault and plans to use a time-based token

technology to obtain named credentials as well.

• Jobs are classified as ‘System’ and ‘individual’ jobs

e.g.: System jobs are backup job for all databases/OS etc

• Every user must create the job under their own account and share the job (user-defined job) to a particular user/role if

needed – typically team based roles for system jobs

• What happens when a user leaves the organization or changes teams – especially with ‘system’ jobs which are owned by that

user? How can I grant ‘full’ access to the team based roles? For e.g. - database backup job should be given full privilege to all Technical DB team members

Private roles are used in 12.1.0.4 to solve the above issues faced in 12.1.0.3

(44)

(45)

Enterprise Manager : OTN Resources

Documentation Screen watches

(46)

Enterprise Manager : Security Tips

• Tip#1: Use one-step configuration for AD, OID and OAM to conveniently set up Enterprise Manager for external

authentication using the command “emctl config auth”.

• Tip#2: You do not need to pre-create or re-enter user account information when using LDAP for external

authentication, enabling auto-provisioning and using external roles with auto-create user accounts.

• Tip#3: Use Global Preferred Credentials – the best way to set Preferred Credentials for all users across many targets.

• Tip#4: Named Credentials can be shared between administrators performing a specific task by assigning the Named

Credential to a Private Role – then granting that role to your users.

• Tip#5: Use privilege propagating groups, aggregate target level privileges and Connect Target Read Only privilege to

restrict developer access to production databases.

Appendix

• Tip#6: Using Privilege Delegation bulk apply and deploy will allow you to efficiently standardize on your PDP settings

across your datacenter.

• Tip#7: Use the Security Console to conveniently view security configuration information for your managed

environment.

(47)

Appendix

CON8243 - Enterprise Manager 12c Security Cookbook: Best Practices for Large Datacenters

(48)

Default PDP templates can be applied to newly

discovered host targets. For existing hosts - bulk apply and deploy can be used to efficiently standardize PDP settings across your data center.

How can I efficiently deploy my PDP settings to all the managed hosts in my data center?

(49)

Enterprise Manager : Privilege Delegation

• Privilege delegation allows a user to perform an activity with the privileges of another user

• E.g patching, provisioning, jobs etc

• Privilege Delegation tools supported are:

• Sudo

• PowerBroker

• A PDP template defines how privilege delegation is configured for a particular host, this information is

needed when a PDP is deployed, it defines

• The host operating system

• The type of PDP being used on a particular host

• The command line format and switches expected from the PDP tool

• Templates to be applied to multiple hosts

• Default templates can be applied to newly discovered host targets.

• Prevents an Administrator applying PDP settings on a host per host basis

• Ensures a standard configuration on all hosts

• Particularly useful when many host targets have been simultaneously added to Enterprise Manager.

49

(50)

Enterprise Manager : Security Console and Entitlement

page

Putting it all together….. The Security Console and the

Entitlement Page provide information on your security configuration and resources

(51)

Use the Security Console to conveniently view security configuration information for your managed

environment.

Where can I get a consolidated view of all my security settings?

(52)

• Best Practices Recommendations

such as…

encryption key removed from

repository

auditing operations turned on

auditing externalization should be

turned on

• Configuration information

such as…

– Who is currently logged on?

– Who are the most active users?

– Are there any unsecured agents?

– When will the certificates expire?

Enterprise Manager : Security Console

(53)

Enterprise Manager : Entitlement Page

(54)

Enterprise Manager : Resources

Security Console and Entitlement Page Benefits

• Central location for all security information related to your infrastructure

• Allowing administrator to view, optimize and analysis security information

• The Entitlement Page improves user management

– displaying privilege, role and resource information on a per user bases

– providing information on target access

(55)

(56)