Oracle Enterprise Manager Security A Practitioners Guide

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Enterprise Manager Security
A Practitioners Guide
Courtney Llamas
Consulting Member of Technical Staff
Enterprise Manager - Strategic Customer Program
March 3, 2016
Oracle Confidential – Internal/Restricted/Highly Restricted

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle Confidential – Internal/Restricted/Highly Restricted 3

Total Cloud Control
Optimized, EfficientAgile, Automated | |
Expanded Cloud Stack
Management
Scalable, Secure
Superior Enterprise-Grade
Management
Complete Cloud Lifecycle
Management

Increase in Functionality Results in Increased Demand
• Now a full data center tool
– Monitors and manages entire stack
– Configuration and compliance management
– Data Center automation
– Cloud
– Alerts
– Reporting
• Increase in target types supported
– Fusion Middleware, E-Business Suite, Java Diagnostics, Siebel, SQL Server, MySQL,
DB2

Top 5 Questions About Access and Security
• Our DBA team has EM, but the FMW team wants to add their targets, how
can I do this without them interfering with our work?
• My developers want to see the database performance, how can I allow
them without fear of them breaking something?
• Security policies won’t allow us to share the oracle account/password, but
we need it for certain tasks, how can we work around this?
• Can we integrate our users with our corporate LDAP system?
• How can we share a job with a group of users so we can all edit the job?
1
2
3
4
5

1: Organize Targets by Support Team
• Our DBA team has EM, but the FMW team wants to add their targets, how can I
do this without them interfering with our work? Different teams support the
databases, FMW, E-business targets. They work together often as their targets
are associated and need to view other targets.
Requirement
• Create groups and/or systems
• Set target properties
• Create function based roles
Solution – Organize Targets by Support Team

Organize Targets by Support Team
• Different groups of users have different access requirements
• Define what these groups look like and organize targets in groups or
systems
– Groups allow you to manage many targets as one based on common attributes
(access, monitoring, notifications, etc.)
– Services/Systems
• Use Target Properties for defining group membership and automation
• Create Roles with appropriate Privileges on the groups

Organize Targets
•Manually add targets
•Nest to form a hierarchy
•Targets may reside in
multiple
•No automation
•Privileges can
be propagated to member
targets
•Define membership by
target properties
•Targets may reside in
multiple
•Automate membership
•Privileges can
be propagated to member
targets
•Defined as a hierarchy
based on target properties
•Multiple levels and layers
•Targets only reside in one
leaf node
•Automated membership
•Automated template apply
•Privileges are propagated
to member targets
•Aggregate target that
contains related
components
•Availability determined by
key member target
availability
•Can be privilege
propagating
Basic Groups Dynamic Groups Administration Groups Systems

• Also can be used as filters in
Incident Rules and Notification
Methods, Reports
• LifeCycle Status helps prioritize
OMS workload in back logged
system/agents
• User Defined Target Properties can
be used in Dynamic/Admin groups
in EM 13c
• Create a List of Values in EM 13c
Target Properties
New in
13c

Creating Roles for Various User Access
• Grant Target Privileges on groups of
targets to restrict access in multi-
organization environments
• Use the Connect Target Read-Only for
non-privileged access
• Best Practices for Security:
– Grant roles to users not direct privileges
– Least privileged method preferred
– User Super Admin sparingly
– Utilize the Out-of-Box Roles for examples
Owner
•can do anything on
target
Admin
•operate and make
changes to the target
(running jobs, diag &
tuning, etc.)
Operator
•triage faults, and
checks things (no
changes)
•typically for
notifications and
follow-up
Guest •Read-only access

• Privileges
Applicable to
all Targets
– Applies to all
– Limit use
• Target Privileges
– Add Targets (Group, System, etc)
– Manage Target Privilege Grants to
assign permissions
Target Privileges
If you have granted
ANY permissions,
you likely have not
thought out your
requirements
enough

Resource Privileges
Common Grants
• Access
• Dashboards
• Enterprise Rule Set *
• Metric Extension *
• Named Credential
• Job System
• Report
• Target Discovery
Framework *
• Template *
• Template Collection
*
Database Specific
• Backup Configuration
• Backup Status Report
• Database Replay
Middleware Specific
• Fusion Middleware
Offline Diagnostic
• JVM Diagnostic
LifeCycle Management
• Compliance
Framework
• Configuration
Extensions
• Deployment
Procedures
• Patch Plan
• Patching Setup
• Software Library
Entity

Sample Privilege Breakdown
Guest
• Connect Target
Read-Only
• View (on Group)
Operator
• Operator on Group
• Job System
Admin
• Full on Group
• Report
• Job System
Owner
• Full on Group
• Configuration
Extensions
• Enterprise Rule Set
• Metric Extensions
• Target Discovery
Framework
• Template
• Template
Collection
EM Admins
• EM Plug-in
• Enterprise
Manager High
Availability
• OMS Configuration
Property
• Proxy Settings
• Self Update
Administration
Entity
• System

Putting it all together – DBA Example
• Create dynamic groups
• Set target properties to join group
• Create “DBA_Admin” role
– Select Add under Target Privileges and select DBA, WLS and EBIZ groups
– Modify DBAGroup to add Group Administration privilege
– WLS/EBIZ groups remain view access

• Console
– Edit User or Edit Role
• EM CLI
$emcli grant_roles -
name=“JOE" -
roles=“DBA_ADMIN;BLACKOU
T_ADMIN”
Ways to Grant Roles

Granting Users Permission to Manage Roles
• Managed by Super Administrator or user with Manage System Roles
privilege
$emcli grant_roles(name=“BOB”, role=“my_cred_role:WITH_ADMIN_OPTION”)
New in
12cR4

Granting Users Ability to Create and Delete Users
• System resource privilege “User Management” allows non-super
administrators to be responsible for user creation and deletion
New in
13c

2: Application Access to Database
• My developers want to see the database performance, how can I
allow them without fear of them breaking something? They can’t
make changes to production databases either
Requirement
• Connect Target Read Only
Solution – Read-only Accounts

Application Access to Database
• An EM account does not authorize any database or application activity
– Target login will be required
• Databases rely on DB authentication (i.e. scott/tiger, sys as sysdba)
• Hosts require OS authentication to view files, run jobs
• Named Credentials allow you to store the combination of user/pwd
– Can be changed frequently
– Can be granted to other users
• Create a role for developer access to connect/view
required targets only
– Connect read-only

New Fine Grained Database Privileges
• Restrict access to certain database pages, actions, features and functions
• Only available at Target Privileges for Database
New in
13c

Over 150 Database Resource Privileges…
Automated Maintenance Tasks
Administration
Advisor
Archive Logs
ASH
AWR
ADDM
Alert Logs
Advanced Queue
Audit
Backups
Undo
Health Checkers
Tables
Tablespaces
Encryption
Feature Usage
High Availability Console
Import
Indexes
Memory Settings
Packages
Modules
In Memory
Java Content
Label Security
Initialization Parameters
Privilege Analysis
Performance Home Page
Startup/Shutdown
SQL Tuning Sets
Workspaces
Optimizer Statistics
Procedures and Functions
Profiles
Recovery
Redaction
Redo Logs
Objects
Resources
Roles
Run any SQL
Scheduler
Security
Services
PGA
SQL Monitor
SQL Plan Control
New in
13c

Privilege Groups Provided to Make it Easier
Resource Privilege Description
Manage Database Performance Privilege Group
Ability to manage all database performance and
advisory features like SQL Monitor, SQL Performance
Analyzer, Memory Advisors, Segment Advisors etc.
View Database Performance Privilege Group
Ability to view all database performance and advisory
features like SQL Monitor, SQL Performance Analyzer,
Memory Advisors, Segment Advisors etc.
Manage Database High Availability Privilege
Group
Ability to manage database high availability in EM.
Manage Database Schema Privilege Group
Ability to manage database schema elements like
tables, views, indexes, packages, functions etc.
Manage Database Security Privilege Group
Ability to manage all database security features like
Users, Roles, Profiles, Data Encryption, Data Vault,
Audit Vault etc.
New in
13c

Privilege Roles Make it Even Easier…
Resource Privilege Description Includes
Database Application DBA
Database Application DBA can manage
application schema, application objects and
application performance in the database.
Application DBA can view and update the
database to fix performance and other
issues on the database.
Manage Database Performance
Privilege Group
Manage Database Schema
Privilege Group
Database Security Officer
Database Security Officer manages database
security in the enterprise. Database Security
Officer performs user, role, audit, key and
compliance management of the database.
Manage Target Compliance
Manage Database Security
Privilege Group
Database Application Developer
Application developer can view the
database performance in EM but cannot
make any changes to the database.
View Database Performance
Privilege Group
View Database Schema
Privilege Group
New in
13c

Database Permissions - Performance Views
• create session
• select any dictionary
View Performance pages,
charts and explain plans
• execute on dbms_workload_repository
Run AWR reports
• create job
• oem_advisorSQL Access Advisor
• Cannot be used in read-only mode
• execute on dbms_workload_repository
• administer sql tuning set
SQL Tuning Advisor
For more on database permissions see the Database Security Guide

• Store a username/password
combination
• Referenced not stored
• One update required for changes
• Share access with others
– View (use)
– Edit (update)
– Full (delete)
• Allows for SSH credentials
Named Credentials

Basic Target Access Requirements
• View Target
– Ability to view target status, basics from home page
• Created Named Credential
– Save/Access a username/password combination
• Connect
– Ability to enter a target username/password
• Connect Read-Only
– Limits connection to a read-only mode
– Connect mode supersedes connect read-only

Connect Target Read-Only
• When unauthorized users attempts changes

3: Sharing Oracle account pwd
• Security policies won’t allow us to share the oracle
account/password, but we need it for certain tasks, how can we
work around this?
Requirement
• Preferred Credentials
Solution

Sharing Account with Named Credentials
• Security manager or admin can create a named credential with the oracle
account/password, then grant DBAs access to use the credential.
• Password is not known, only allowed access via EM which can be audited
• Named credential can be stored as user’s preferred credential for login with
out prompting
• Passwords can be changed easily and frequently using EM CLI
$ emcli modify_named_credential -cred_name=GLB_ORA_OS
-attributes="HostUserName:oracle;HostPassword:"

Preferred Credentials
• Stored Credentials per target type
• Utilizes Named Credentials

Target Preferred Credentials
• Use for one-off situations
• Overrides default target type credentials

Default Target Type Preferred Credentials
• Multiple credentials per target type
• Overrides Global Target/Target Type credentials

• Applies to all users with minimum
privilege (OPERATOR) level
– Can change minimum using
update_credential_set verb
• Can speed up user on-boarding
• Use privileged accounts with
caution
• Target level overrides target type
Global Preferred Credentials
New in
12cR4

Using EM CLI to Update Passwords and Set Credentials
• Change the database user password in both the target database and
Enterprise Manager (all stored credentials).
• Now works for changing all users, including sys/sysdba users
$emcli update_db_password -change_at_target=Yes|No -change_all_reference=Yes|No
• Update a password which has already been changed at the host target.
$emcli update_host_password -change_all_reference=Yes|No
• Set preferred credentials for given users.
$emcli set_preferred_credential -set_name="set_name" -target_name="target_name"
-target_type="ttype" -credential_name="cred_name“ -for_user=“user” [-
credential_owner ="owner”]
New in
13c

Requirement 4: Integrate with Corporate LDAP
• Can we integrate our users with our corporate LDAP system? Security
Team wants to ensure password policies are enforced and follow
corporate standards.
Requirement
• LDAP Integration
• External Roles
• EM CLI commands
Solutions to implement

Available Authentication Methods
• Based on WLS supported methods
– Repository based (default)
– Oracle Access Manager with SSO
– Enterprise User Security
– LDAP (OID, Active Directory, etc.)
• Benefits to using an advanced method
– Reduces user administration effort in EM
– Password expiration controlled centrally
– User creation/deletion can be automated
– External roles can map to authentication groups

Connect with Active Directory
• Preferred method: emctl config auth ad
emctl config auth ad -ldap_host "ldaphost" -ldap_port "3060" -ldap_principal
"cn=orcladmin" -user_base_dn "cn=users,dc=us,dc=oracle,dc=com" -group_base_dn
"cn=groups,dc=us,dc=oracle,dc=com" -ldap_credential "ldap_password" [-
sysman_pwd "sysman_password"]
• Alternate method: WLS Console
– Add authentication provider and set OMS properties
emctl set property –name
“oracle.sysman.core.security.auth.is_external_authentication_enabled” –value
“true”
“oracle.sysman.emSDK.sec.DirectoryAuthenticationType” –value “LDAP”
• Full OMS stop/start required
Enterprise Manager Cloud Control 12c: Configuring External
User Authentication Using Microsoft Active Directory

Create Users
• Users must be created as “external”
– Console or EM CLI
emcli create_user -name="new_admin“
-type="EXTERNAL_USER" -roles="public"
• Existing users can be modified
emcli modify_user -name="name" -type="external_user"
• Map attributes to LDAP
"oracle.sysman.core.security.auth.ldapuserattributes_emuserattributes_mappings"
–value "USERNAME={%uid%},EMAIL={%mail%},CONTACT={%telephone%},
DEPARTMENT={%department%},DESCRIPTION={%description%},LOCATION={%postalcode%}"

Automating User Creation
• Auto Provisioning allows LDAP users to be created upon first login
emctl set property –name “oracle.sysman.core.security.auth.autoprovisioning”
-value ”true”
• Minimum Role restricts this to members of a certain group
“oracle.sysman.core.security.auth.autoprovisioning_minimum_role”
–value “EM_ADMIN”
• Username mapping (to External Numeric ID) provides the security while
enhancing user experience and auditing
“oracle.sysman.core.security.auth.enable_username_mapping” –value “true”

External Roles
• Automate privilege grants by mapping Roles to LDAP Groups
– LDAP Group of EM users = EM_ADMINS, external role named EM_ADMINS
• Users will automatically get the permissions of that role

Requirement 5: Jobs Must be Shared by Teams
• How can we share a job with a group of users so we can all
edit the job? All members of the DBA team must be able to
edit, stop, run the backup jobs.
Requirement
• Private Roles
Solution

Jobs Must be Shared By Teams
• To prevent unauthorized access, roles could not have full privs on jobs
– 12c4r introduced Private Roles
• Allowing shared jobs is now possible by
– Create a Private Role that has Full access to job
– Grant Private Role to the users

• Created by Super Administrator or
user with Create Role privilege
• Can be granted WITH_ADMIN option
• Grant privileged
permissions
– LAUNCH_DP
– FULL_DP
– GET_CREDENTIAL
– EDIT_CREDENTIAL
– FULL_CREDENTIAL
– FULL_JOB
Private Roles
New in
12cR4

Creating a Private Role
• As a Super Admin or user with Create Role
– Create a role and mark it Private
• Object Owner must make grant

Grant Job Resource Privileges

Add Jobs to Role

Select Resources (Jobs) to Add to Role

Grant Privilege Level

Resource Ownership
• As SYSMAN, only able to grant FULL to jobs owned by SYSMAN
• Manage Job is highest privilege that can be granted on Jobs owned by
other users

Option 2: Add Role on Access Tab of Specific Job

Option 3: EMCLI
• A Private Role can be granted to an administrator with WITH_ADMIN option
as follows
emcli>create_role(name=“my_cred_role”,private_role=True)
emcli>grant_privs(name=“my_cred_role”,
privilege="GET_CREDENTIAL;CRED_NAME=SSHCRED")
emcli>grant_roles(name=“BOB”, role=“my_cred_role”)
emcli>grant_roles(name=“JOHN”, role=“my_cred_role:WITH_ADMIN”)
• BOB cannot share this credential with other users
• JOHN can now share this credential with other users, has been granted
WITH_ADMIN

Summary
• Many more features and functions that allow you to secure and share your
Cloud Control environment
– Auditing
– Privilege Delegation (pbrun, sudo, etc)
• First step is to define the different requirements
– Who needs access
– What do they need access to do
• Always start with least possible privileges and build up
• Use the out-of-box roles as guidance

Resources
• OTN Enterprise Manager – OOW14 Content
http://www.oracle.com/technetwork/oem/pdf/em-oow2014-2339393.html
• Blogs:
http://blogs.oracle.com/oem
http://courtneyllamas.com
• Twitter
@oracle_EM
@courtneyllamas

Earn an #IOUGenius Certificate
Demonstrate the skills you’ve gained at COLLABORATE 16
How to Earn Your Certificate
1. Choose a certificate that benefits you and your company the most.
2. Search for sessions mobile app device by using the hashtag #IOUGenius.
3. “Check-in” to 4+ sessions on your mobile app.
4. Email us at speakers@ioug.org to receive your #IOUGenius e-certificate(s).
Visit: collaborate.ioug.org/certificates
• 12c New Features and Upgrades
• Core DBA Skills
• Oracle Enterprise Manager
• Performance
• Securing Your Oracle Database
• Techniques for High Availability
• The Cloud, Options, and Choices
• Understanding Big Data, Tools, and Techniques
• WebCenter Strategies and Best Practices

Oracle Enterprise Manager Security A Practitioners Guide

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à Oracle Enterprise Manager Security A Practitioners Guide

Similaire à Oracle Enterprise Manager Security A Practitioners Guide (20)

Dernier

Dernier (20)

Oracle Enterprise Manager Security A Practitioners Guide