Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

Tips and Tricks
for hardening
Oracle Fusion Middleware
a presentation by
Jacco Landlust & Simon Haslam

woensdag 3 oktober 12

Introduction
Architecture
Separate binaries from config
Firewall

Jacco H. Landlust
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing

• 35 years old
• Deventer, the Netherlands
• Lives Together with Margot,
2 Daughters (Franka & Jules) and our Cat

2


Introduction
Architecture
Firewall

Jacco H. Landlust / iDBA Personal Accounts
Nodemanager
SSL
Database
Auditing

• Independent Red Stack Administrator
• Oracle since 2000
• Oracle ACE since 2006
• iDBA since 2010
• Architecture, Clustering, High Availability, Performance &
Management

3


Introduction
Architecture
Firewall

Simon Haslam
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Over 35 years old
• Sherborne, UK

4


Introduction
Architecture
Firewall

Simon Haslam
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Oracle since 1996 (UNIX since 1989)
• Founded Veriton in 1996
• Oracle ACE Director since 2009
• Chair of the UKOUG Application Server & Middleware SIG
• Architecture, Design, Installation
• http://simonhaslam.co.uk

5


Introduction
Architecture
Firewall

Why present together?
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Lone wolf pack
• We just like to talk, share ideas and discuss Oracle Fusion
Middleware administrator topics
• Oracle Infrastructure Administrators Group

6


Introduction
Architecture
Firewall

Prerequisites & Disclaimer
Personal Accounts
Nodemanager
SSL
Database
Auditing

• This is a technical presentation
• Background knowledge about middleware is assumed
• Best practices of our (Limited) experience
• We do not work for Oracle / represent Oracle
• We do not pretend this list is complete
• We are not ‘native’ American speakers

7

Tips and Tricks
for hardening
Oracle Fusion Middleware

8


Introduction
Architecture
Firewall

Whatever you do
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Run on “current” versions
• Monitor for critical patches by Oracle
• Apply PSU’s / CPU’s

9


Introduction
Architecture
Firewall

Architecture
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Decide upon definitions in your team
• Document your train of thoughts
• We love pictures
• Segregation of environments (DTAP)
• Start with security measures in DEV
• Use SSL wherever you can

10


Introduction
Architecture
Firewall

Architecture
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Separate system components from Java components
• Separate directories
• Separate binaries from configuration
• Separate AdminServer from Managed Servers
• Standardize & automate as much as possible

11


Introduction
Architecture
Firewall

Architecture
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Tiered architecture
• Think about access to components:
• from where?
• to what?
• by whom?

12


Introduction
Architecture
Firewall

Architecture
Personal Accounts
Nodemanager
SSL
Database
Auditing

13


Introduction
Architecture
Firewall
Personal Accounts
Nodemanager
SSL
Database
Auditing

14


Introduction
Architecture

Separate binaries
Firewall
Personal Accounts
Nodemanager

from configuration
SSL
Database
Auditing

• No chance of runtime user altering binaries
• Runtime users secondary group is primary group of binary
owner
• Need to fix privileges on some files / directories
• One nodemanager per runtime user

15


Introduction
Architecture
Firewall

Caveats
Personal Accounts
Nodemanager
SSL
Database
Auditing

• One nodemanager per runtime user
• Startup binary of system owner needs to be owner by runtime
user
• Different layared products have different requirements

16


Introduction
Architecture
Firewall

Fix Privileges
Personal Accounts
Nodemanager
SSL
Database
Auditing

find ${MW_HOME} -type d -exec chmod g+rx {} ;
find ${MW_HOME} -type f -exec chmod g+r {} ;
chmod g+w ${MW_HOME}/logs
touch ${MW_HOME}/domain-registry.xml
chmod g+w ${MW_HOME}/domain-registry.xml
touch ${MW_HOME}/common/nodemanager/nodemanager.domains
chmod g+w ${MW_HOME}/wlserver_10.3/common/nodemanager/nodemanager.domains
chmod g+w ${MW_HOME}/wlserver_10.3/server/lib
chmod g+w ${MW_HOME}/wlserver_10.3/server/lib/*.jks
chmod g+w ${MW_HOME}/oracle_common/sysman
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.sslConfig
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.joc_demo_keystore.jks
chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.KEYSTORE
find ${MW_HOME} -name perl -exec chmod g+rx {} ;
find ${MW_HOME} -name emagent -exec chmod g+rx {} ;
find ${MW_HOME} -name emctl -exec chmod g+rx {} ;
find ${MW_HOME} -name emdctl -exec chmod g+rx {} ;

chown root ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl
chmod 6750 ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl

chown ${DOMUSR} ${MW_HOME}/Oracle_WT1/ohs/bin/apachectl

17


Introduction
Architecture
Firewall

Firewall
Personal Accounts
Nodemanager
SSL
Database
Auditing
http://en.wikipedia.org/wiki/Firewall_(computing)

A firewall primary objective is to control the incoming and outgoing
network traffic by analyzing the data packets and determining
whether it should be allowed through or not, based on a
predetermined rule set.

A network's firewall builds a bridge between an internal network that
is assumed to be secure and trusted, and another network, usually an
external (inter)network, such as the Internet, that is not assumed to be
secure and trusted

18


Introduction
Architecture
Firewall

Network Connection Filter
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Connection filters let you deny access at the network level
• Network connection filters are a type of firewall in that they
can be configured to filter on protocols, IP addresses, and
DNS node names
• Careful: rules are domain wide

19


Introduction
Architecture

Connection Filter
Firewall
Personal Accounts
Nodemanager

Rules Syntax
SSL
Database
Auditing

Each rule must be written on a single line.
• Tokens in a rule are separated by white space.
• A pound sign (#) is the comment character. Everything after a pound sign on a
line is ignored.
• Whitespace before or after a rule is ignored.
• When entering the filter rules on the Administration Console, enter them in the
following format:
target localAddress localPort action protocols
• If no protocol is defined, all protocols will match a rule
• The rules are evaluated in the order in which they were written

20


Introduction
Architecture

Setup filter to block
Firewall
Personal Accounts
Nodemanager

all non-http traffic
SSL
Database
Auditing

127.0.0.1 * 7001 allow
192.168.56.101 * 7001 allow
0.0.0.0/0 * 7001 allow http
0.0.0.0/0 * 7001 deny

21


Introduction
Architecture

Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

22


Introduction
Architecture

Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

weblogic.security.net.ConnectionFilterImpl

22


Introduction
Architecture

Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

<29-sep-2012 11:58:00 uur CEST> <Notice> <Socket>
<BEA-000445> <Connection rejected, filter blocked
Socket[addr=192.168.56.1,port=49182,localport=7001],
weblogic.security.net.FilterException: [Security:090220]rule 4>

23


Introduction
Architecture

Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

127.0.0.1 * 7001 allow
192.168.56.101 * 7001 allow
0.0.0.0/0 * 7001 allow http
0.0.0.0/0 * 7001 deny

24


Introduction
Architecture
Firewall

Personal Accounts
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Trace administrative actions to a human
• Authentication providers
• Identity assertion authentication provider
• JAAS control flags
• Order of providers matters
• Most FMW layered products only find group memberships
(and groups) for the first provider
25


Introduction
Architecture
Firewall

Role Based Privileges
Personal Accounts
Nodemanager
SSL
Database
Auditing

• For WebLogic configured in /console
• For most Fusion Middleware application configured in /em
• Policy store provider in OID or Database

26


Introduction
Architecture

SQL Based
Firewall
Personal Accounts
Nodemanager

Authentication Provider
SSL
Database
Auditing

CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000),
CONSTRAINT PK_USERS PRIMARY KEY (U_NAME));

CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL,
CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME));

27


Introduction
Architecture

SQL Based
Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL,
CONSTRAINT PK_GROUPMEMBERS
PRIMARY KEY (G_NAME,G_MEMBER),
CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE,
CONSTRAINT FK2_GROUPMEMBERS
FOREIGN KEY ( G_MEMBER ) REFERENCES USERS (U_NAME)
ON DELETE CASCADE
);

28


Introduction
Architecture

SQL Based
Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION)
values('jacco','Welcome01','admin user');

insert into GROUPS (G_NAME,G_DESCRIPTION)
values('Administrators','Adnministrators');

insert into GROUPMEMBERS (G_NAME,G_MEMBER)
values('Administrators','jacco');

29


Introduction
Architecture

SQL Based
Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

30


Introduction
Architecture

SQL Based
Firewall
Personal Accounts
Nodemanager

SSL
Database
Auditing

31


Introduction
Architecture
Firewall

Nodemanager
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Always use secureListener=true
• Setup credentials to custom user
• Store and protect credentials in keyfiles
• Never use demo certificates (in production)

32


Introduction
Architecture

Secure Sockets Layer /
Firewall
Personal Accounts
Nodemanager

Transport Layer Security
SSL
Database
Auditing

• TLS and predecessor SSL are cryptographic protocols
• The TLS protocol allows client-server applications to
communicate across a network in a way designed to prevent
eavesdropping and tamering.

33


Introduction
Architecture
Firewall

How does it work?
Personal Accounts
Nodemanager
SSL
Database
Auditing

1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other
information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other
information that the client needs to communicate with the server over SSL. The server also sends its own
certificate, and if the client is requesting a server resource that requires client authentication, the server requests
the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details).
If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and
authenticated connection cannot be established. If the server can be successfully authenticated, the client
proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the
cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained
from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client also signs another
piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends
both the signed data and the client's own certificate to the server along with the encrypted pre-master secret.

34


Introduction
Architecture
Firewall

How does it work?
Personal Accounts
Nodemanager
SSL
Database
Auditing

6. If the server has requested client authentication, the server attempts to authenticate the client (see Client
Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully
authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps
(which the client also performs, starting from the same pre-master secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to
encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any
changes in the data between the time it was sent and the time it is received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will be encrypted with
the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is
finished.
9. The server sends a message to the client informing it that future messages from the server will be encrypted with
the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is
finished.

source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer

35


Introduction
Architecture
Firewall

Key Information
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Identity store: information to uniquely and securely identify
yourself
• Truststore: knowledge of whom to trust

36


Introduction
Architecture

Different Components, Different
Firewall
Personal Accounts
Nodemanager

Keystores
SSL
Database
Auditing

• All java components use Java key stores (by default)
• All system components use Oracle Wallets
• Most system components need auto-login wallets
• Default CAs are stored with JRE

37


Introduction
Architecture
Firewall

When using WLST
Personal Accounts
Nodemanager
SSL
Database
Auditing

• -Dweblogic.security.SSL.trustedCAKeyStore=/path/to/
truststore.jks
• Setup WLST_PROPERTIES in
${MW_HOME}/wlserver_10.3/common/bin/wlst.sh
• Preferably create a wrapper script outside of your middleware
home

38


Introduction
Architecture
Firewall

Nodemanager
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Setup in nodemanager.properties
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=identity.jks
CustomIdentityKeyStorePassPhrase=Welcome01
CustomIdentityAlias=oow12demo.area51.local
CustomIdentityPrivateKeyPassPhrase=Welcome01
CustomTrustKeyStoreFileName=truststore.jks

39


Introduction
Architecture
Firewall

WebLogic Servers
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Change keystoretype to Custom Identity (and Custom Trust)
• Configure Identity Keystore
• Configure Trust Keystore (if custom)
• Configure Private key (whoami)
• No disabling of hostname verification
• 2 way SSL

40


Introduction
Architecture
Firewall

Layered Products
Personal Accounts
Nodemanager
SSL
Database
Auditing

• Most can be configured from Enterprise Manager (you must
have the administrator role!)
• Credential Maps are all stored in an Oracle Wallet
• Setup SSL in mod_wl_ohs.conf to encrypt traffic between
OHS and WLS

41


Introduction
Architecture

Domain Wide
Firewall
Personal Accounts
Nodemanager

Administration Port
SSL
Database
Auditing

• You can separate administration traffic from application
traffic in your domain
• Run administrative actions on separate threads from
application threads
• You can start a server in standby state
• Since communication uses SSL, administration traffic (which
includes such things as administrator passwords) is more
secure
42


Introduction
Architecture
Firewall

Caveats
Personal Accounts
Nodemanager
SSL
Database
Auditing

• All servers in your domain must be configured with support
for the SSL protocol
• Port conflicts, override per managed server
• Inter-layered product communication usually runs over user
weblogic / a user with the administrator role
• Register system components can be difficult / you cannot
use standard config.sh GUI’s

43


Introduction
Architecture

Domain Wide
Firewall
Personal Accounts
Nodemanager

Administration Port
SSL
Database
Auditing

44


Introduction
Architecture

Domain Wide
Firewall
Personal Accounts
Nodemanager

Administration Port
SSL
Database
Auditing

Console/Management requests or requests with
<require-admin-traffic> specified to 'true' can only be made
through an administration channel

45


Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

Recommended

Recommended

More Related Content

Similar to Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

Similar to Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam (20)

More from Getting value from IoT, Integration and Data Analytics

More from Getting value from IoT, Integration and Data Analytics (20)

Recently uploaded

Recently uploaded (20)

Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam