Oracle Enterprise Manager 12c

Oracle Enterprise Manager 12c CON8243 - Enterprise Manager 12c Security Cookbook: Best Practices for Large Datacenters Maureen Byrne Product Management, Oracle Marleen Gebraad, Rabobank Nagaraj Krishnappa Senior Consultant, Oracle

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Agenda 1 2 3 4 5 6 7 Security Framework Overview Common Enterprise Manager Security Concerns: Authentication Credential Management Authorization Resources RaboBank

Enterprise Manager : Security Overview Oracle Enterprise Manager Security Framework Components 4

Enterprise Manager : Security Framework Overview Administrators Oracle Management Repository Enterprise Manager Authentication Target Authentication Enterprise Manager Cloud Control Enterprise Manager Command Line Interface Oracle Management Service Enterprise Manager Authorization Enterprise Manager Authentication Target Authentication Enterprise Manager Authorization Secure Communication Cryptographic Key Enterprise Manager Auditing Backup/Recovery Jobs SQL Script Jobs Monitoring Templates Privilege Delegation Templates Agents Information Reports Root Cause Analysis Targets Agent Agent Agent Database Application Server Applications Solaris Linux Windows

Enterprise Manager : Authentication Authentication is the process of determining the validity of a user 6

Enterprise Manager : Authentication Enterprise Manager Authentication Repository Authentication External Authentication Achieved with WLS container authentication Support for: OAM Authentication LDAP Authentication e.g. MS Active Directory Target Authentication Target Credentials Named, Preferred, Monitoring Authentication Schemes Username and Password SSH credentials Host target types Kerberos Credentials Database target types SSO Support Centralized user management 7

Enterprise Manager : WLS container authentication External Authentication delegated to Web Logic Server Authentication achieved with WebLogic Server container authentication WLS provides an extensive list of supported Security Providers EM provides out of box support (1 step configuration) for: AD, OID and OAM providers for username/password schema Setting necessary properties in EM Setting necessary configuration parameters in WLS WLS also provides ability to create Custom Security Providers

Our corporate authentication standard is Microsoft Active Directory. How can I configure Enterprise Manager to use MS AD with minimum overhead? Use one-step configuration for AD, OID and OAM to conveniently set up Enterprise Manager for external authentication using the command emctl config auth. 9

Enterprise Manager Authentication: One-step configuration Pre EM 12R2c 1. Login to WLS Admin Console using WLS admin credentials Configure AD Authentication Provider 2. Login to EM Console Configure EM Authentication properties EM 12R2c Use one command to configure both WLS and EM $>emctl auth config ad 10

Enterprise Manager : WLS Container Authentication Microsoft Active Directory Authentication username/password Oracle Management Service Authentication Providers Repos AD OAM Out of Box Native support(one command) - creates EM_AD_Provider - configures EM_AD_Provider in WLS - configures OMS properties in EM AD Provider contains all the configuration information - LDAP Host - user forests/trees/branches - Administrators access Example: One-step configuration to set up External Authentication for Enterprise Manager with Active Directory emctl config auth ad -ldap_host example.oracle.com" -ldap_port "389" -ldap_principal "cn=administrator,cn=users,dc=ys,dc=oracle,dc=com" -ldap_credential WelcomePwd" -user_base_dn "cn=users,dc=ys,dc=oracle,dc=com" -group_base_dn "cn=builtin,dc=ys,dc=oracle,dc=com" -sysman_pwd xyz123 Oracle Confidential Internal/Restricted/Highly Restricted 11

Enterprise Manager Authentication: One-step configuration Native Support for external authentication Benefits Takes advantage of existing Corporate Authentication Standards Allows you to quickly configure Enterprise Manager for External User Authentication Sets Enterprise Manager OMS properties Creates and Configures WebLogic Server Provider Reduces administration overhead and potential for configuration errors 12

I have external authentication enabled in Enterprise Manager with LDAP, do I have to recreate all my user accounts in Enterprise Manager? You do not need to pre-create or re-enter user account information when using LDAP for external authentication - enabling auto-provisioning and using external roles will auto-create user accounts. 13

Enterprise Manager Authentication: Auto-Provisioning Automatic creation of user account upon first successful login External authentication is enabled with the following OMS property, and is automatically set during one-step configuration oracle.sysman.core.security.auth.is_extern_authentication_enabled = true Auto-provisioning can be used with external LDAP authentication to auto-create user accounts upon first successful login oracle.sysman.core.security.auth.autoprovisioning = true Auto-provisioning can be applied to all users or it can be restricted to a particular LDAP group oracle.sysman.core.security.auth.autoprovisioning_minimum_role = <USER GROUP_NAME> oracle.sysman.core.security.auth.autoprovisioning_minimum_role = EM_ADMINISTRATORS 14

Enterprise Manager Authentication: Mapping User Groups to External Roles External Roles defined in Enterprise Manager can map to LDAP groups Defining a role, marking it as external, and mapping it to an LDAP group of users, enables users defined in that LDAP group to be granted that Enterprise Manger role upon login Where the <LDAP_group_name> = <EM external role name> Example in EM CLI: emcli> create_role (name= my_external_role",type="external_role",desc= My external role") 15

Enterprise Manager Authentication: getting the most out of your LDAP integration Auto-provisioning and External Roles Benefits Mapping LDAP user group to Enterprise Manger external role provides Enterprise Manager users with defined privileges on first login simplifies management of roles for external users If a user moves to another organization, and is moved to another LDAP group they will automatically be granted the necessary Enterprise Manager privileges for that group. Used together, external authentication, auto-provisioning and external roles reduce administrative overhead by auto-creating and granting necessary privileges to user accounts, appropriate to their organization. Using username mapping (to External Numeric ID) provides the security required by many security policy groups while simultaneously enhancing user experience and Auditing. oracle.sysman.core.security.auth.enable_username_mapping = true 16

Enterprise Manager: Credential Management Credentials enable an administrator to perform a privileged operation on a managed target. 17

How can we easily share and manage credentials with hundreds of users for several targets? Use Global Preferred Credentials the best way to set Preferred Credentials for all users across many targets. 18

Enterprise Manager : Credential Management Enterprise Manager uses the concept of a Named Credential A Named Credential can contain a username/password, Kerberos token or SSH key A Named Credential is used to easily manage credentials A Named Credentials is encrypted using AES and stored in the repository A Named Credential is granted to individual users Credentials can be granted with the following privilege - View, Full or Edit A user can set a Named Credential as a Preferred Credential A Preferred Credential conveniently prevents the display of a login prompt 19

Enterprise Manager : Global Preferred Credentials Convenient way to set Preferred Credentials for many users across many targets A Global Preferred Credential is a shared preferred credential Previously each user had to know a valid credential and set up their own preferred credential Now Privileged Administrators can set Preferred Credentials for ALL users

Enterprise Manager : Global Preferred Credentials User Scoped Preferred Credentials Target Specific Preferred Credentials Target Type Preferred Credentials Level 1 T1 Level 2 PC1 T1 PC2 T2 DPC T2 User A PC3 T3 User A T3 Target Specific Preferred Credentials All Users Level 3 GPC1 T1 Target Type Preferred Credentials All Users Level 4 T1 GPC2 GPC3 T2 T2 GDPC T3 T3 Global Scoped Preferred Credentials PC - Preferred Credential DPC - Default preferred Credential GPC - Global Preferred Credential GDPC - Global Default Preferred Credential

Enterprise Manager : Global Preferred Credentials Convenient way to set Preferred Credentials for many users across many targets Administrators need the following privileges to set Global Preferred Credentials FULL_TARGET -to set target specific scope at the Global Preferences FULL_ANY_TARGET -to set target type scope at the Global Preferences level Administrators need the following privileges to use Global Preferred Credentials OPERATOR_ TARGET -to use a Global Preferred Credential This privilege could be added to the PUBLIC role if you wanted to grant it to everyone Or you can choose to change the privilege needed to use a Global Preferred Credential with the EM CLI command - update_credential_set()

Enterprise Manager : Global Preferred Credentials Use Global Preferred Credentials for many users across many targets Global Preferred Credential reduce administrative overhead They can be granted to all users For a target For a target type New targets can automatically be accessed by many users Global Preferred Credentials can be used to efficiently on board new administrators Enabling new users to automatically access many targets Users can always over ride with their user level Preferred Credential 23

How do I grant a Named Credential to a group of users who are performing a specific task requiring credentials? Named Credentials can be shared between administrators performing a specific task by assigning the Named Credential to a Private Role then granting that role to your users. 24

Enterprise Manager : Private Roles Introducing the ability to grant sensitive privileges to a role in a controlled manner Prior to 12.1.0.4 only Super Administrators could create and grant Roles Once created a role is available to any super administrator to further grant to any user Super Administrators could grant a role without permission from the owner nor knowledge of the owner This created security concerns for powerful privileges and resources Which is why named credentials could not be granted to roles Introducing Private Roles in 12.1.0.4 privileged administrators can create and grant roles Once created a Private Role is available only to administrators who have been specifically granted that role Only role owners or role grantees can grant the private role Alleviating security concerns as private roles are granted only to trusted administrators Introducing new Role terminology System Role a role created and granted by a Super Administrator A role created and granted by an administrator with manage_system_role privilege Private Role a role created and granted by a Super Administrator A role created and granted by an administrator with create_role privilege Private roles can be granted with WITH_ADMIN option System Role Private Role

Enterprise Manager : System Roles and Private Roles What? Created by whom? Options? System Roles Privilege A Privilege B etc. Cannot contain LAUNCH_DP Cannot contain FULL_DP Cannot contain FULL_JOB Cannot contain GET_CREDENTIAL Cannot contain EDIT_CREDENTIAL Cannot contain FULL_CREDENTIAL Super Administrator Admin with manage_system_role No options Private Roles Privilege A Privilege B etc. Can contain LAUNCH_DP Can contain FULL_DP Can contain FULL_JOB Can contain GET_CREDENTIAL Can contain EDIT_CREDENTIAL Can contain FULL_CREDENTIAL Super Administrator Administrator with create_role With WITH_ADMIN option Without ADMIN option

Enterprise Manager : Private Roles Introducing the ability to grant sensitive privileges to a role in a controlled manner A Private Role can be granted to an administrator with WITH_ADMIN option as follows emcli>create_role(name="private_role",private_role=true) emcli>grant_privs(name="private_role", privilege="get_credential;cred_name=sshcred") emcli>grant_roles(name="bob, role="private_role") emcli>grant_roles(name= JOHN", role="private_role:with_admin ) //BOB cannot share this credential with other users as he has not been granted the role private_role with the WITH_ADMIN option //JOHN can now share this credential with other users as he has been granted the role private_role with the WITH_ADMIN option

Enterprise Manager : Private Roles Private Role benefits Private roles work well in sharing credentials with administrators assigned to a specific role Leveraging private roles improves job manageability allowing other administrators to take over job ownership if the job owner leaves Once the new job owner is granted FULL_JOB privilege on that job Leveraging private roles or manage_system_role reduces role administration on the Super administrator 28

Enterprise Manager : Authorization Authorization is the action of determining who has access where, to do what. 29

Enterprise Manager : Authorization Authorization Authorization determines who has access where, and to do what. Defined by.. Privileges Target e.g. View, Operator, Full Resource e.g. Jobs, Deployment Procedure, Compliance Roles Made up of privileges Defined in Enterprise Manager Can be mapped to LDAP groups(external role) Granted to.. Administrators

How do I restrict developers to read-only access to production target databases? Use privilege propagating groups, aggregate target level privileges and Connect Target Read Only privilege to restrict developer access to production databases. 31

Enterprise Manager : Authorization Example: Granting developers view access to database DBAGroup Connect Target Read Only Steps: Define your role to include the connect target read only privilege on the DBAGroup privilege propagating group, then grant to your application developers. Create a Named Credential to enable developers to see the DB performance pages in Enterprise Manager and grant the Named Credential. Application Developers - DB Credential Use case: How to provide application developers read-only access to database performance pages in Enterprise Manager in order for them to get firsthand information on the impact of their applications on the underlying database.

Enterprise Manager : Enhancement to groups, systems and other aggregate target types Ability to grant different privileges to a group and the group members Group privilege Member privilege Aggregate Target Type A group of targets or a target made up of many components. e.g. group of DB instances or RAC Use Case : The ability to grant VIEW privilege on the aggregate (i.e. group of DB instances) and FULL on the members (i.e. DB instances). The DBA has VIEW privilege on the group, preventing him from deleting the group The DBA has FULL privilege on members of the group, allowing him to perform full life cycle tasks, including delete the target

Enterprise Manager : Authorization Roles, aggregate target types and privilege propagating groups Leveraging privilege propagating groups with Aggregate target level privileges enhances target group management By granting FULL on a target member and VIEW on the group (aggregate) the administrator is prevented from accidently deleting the group (aggregate) 34

EM12c Security Best Practices Roles, Privileges, Auto-login, Users auto provisioning, Dynamic Groups, Named credentials implementation at Rabobank Marleen Gebraad and Nagaraj Krishnappa

Agenda Introducing Rabobank Oracle ECO department and EMaaS EM12c Security Model Users and Smart Card Access EM12c Security Model Roles and Dynamic groups EM12c Security Model Dynamic groups and Privileges EM12c Security Model Named Credentials and Jobs Q & A

Introducing Rabobank Established in 1898 International financial services provider on a cooperative organisation principle Retail banking, wholesale banking, asset management, leasing and real estate Operating in 40 countries 10 million customers around the world 55,100 FTEs Retail banking in the Netherlands 7.5 million customers 123 independent local banks in the Netherlands 591 offices inside the Netherlands 25,200 FTEs Rabobank is 5 th in the world s safest commercial banks and still the safest bank in Europe, compiled by American Business Magazine Global Finance

Oracle ECO team and EMaaS Oracle ECO team From one central department responsible for the complete Oracle stack to a decentralized organization with a smaller set of responsibilities Previously EM11g only used by Oracle ECO team (50+ users), however the current EM12c will be published as a service to Rabobank Nederland (1000+ users). For EMaaS, more focus on increasing levels of Integrity and Confidentiality Role based access model, Strong authentication, fine grained privilege access, every action must be performed via individual accounts, efficient user and role management, audit user actions etc security principles for web based applications in Rabobank 38

Users and Smart Card Access Rabo Web Authentication (RWA) which is a custom LDAP integrated with OID 11.1.0.7 Users are Single Sign-on (SSO) authentication type and exist in RWA(authentication) and Oracle Internet Directory (authorization) Auto-provisioning parameters used oracle.sysman.core.security.auth.enable_username_mapping oracle.sysman.core.security.auth.autoprovisioning oracle.sysman.core.security.auth.is_external_authentication_enabled oracle.sysman.emsdk.sec.directoryauthenticationtype oracle.sysman.core.security.auth.autoprovisioning_minimum_role Rabobank Smartcard access to EM12c making this as strong authentication RWA identity Assertor (custom identity assertor) and AdminOID configured as Weblogic security providers Weblogic global role associated with OID groups so that RWA smartcard access for Admin Server console

Users and Smart Card Access Workstation (Smartcard) RWA client Oracle Internet Directory (OID) 6. Group 5. Get privs 3. Result 2. Check cookie 1. RWA cookie RWA Identity Asserter 4. Identity rabobankid OID authentication provider Weblogic 11. Show application Enterprise Manager 12c 7. Identity & Groups 10. Roles EM12c Repository 9. Match Group

Roles and Dynamic Groups Each role is based on teams within the Rabobank ICT organization (picture depicts Oracle ECO Team for example) Team based roles exist as groups in OID and appear as external roles in EM12c Each team based role are associated with functions (SEC=security operations, LJD=library job designer etc) Each function based role has a management and end-user sub-function role (e.g.: create a job & view/execute a job) Technical EM role EMAAS_MG_EM (yellow block in the global roles depicted in the picture) has some higher functions due to the responsibility of managing EM and all its targets

Dynamic Groups and Privileges Target privileges are assigned to privilege propagating dynamic groups In this example diagram, the dynamic groups are shown in the Y Axis, and the teams where users belong to0 are depicted in the X axis Dummy Service teams created in order to cover different scenarios. For e.g., A database belongs to TT DB team, however if a database is an EM repository, then it should also belong to ST EM team For special roles like Employee of the day( MVdD) and Standby(STBY), we have created operator any target privilege For any reason, if a user has to become super-admin, he/she can access a time-based role providing application (custom built) called SUPERU.

Named Credentials and Jobs Named credentials are used in Rabobank to access the critical system accounts (oracle/root/sys etc) In the future, we would like to integrate this to a password management digital vault and plans to use a time-based token technology to obtain named credentials as well. Jobs are classified as System and individual jobs e.g.: System jobs are backup job for all databases/os etc Every user must create the job under their own account and share the job (user-defined job) to a particular user/role if needed typically team based roles for system jobs What happens when a user leaves the organization or changes teams especially with system jobs which are owned by that user? How can I grant full access to the team based roles? For e.g. - database backup job should be given full privilege to all Technical DB team members Private roles are used in 12.1.0.4 to solve the above issues faced in 12.1.0.3

Q & A

Enterprise Manager : OTN Resources Documentation Screen watches Oracle Confidential Internal/Restricted/Highly Restricted 45

Enterprise Manager : Security Tips Tip#1: Use one-step configuration for AD, OID and OAM to conveniently set up Enterprise Manager for external authentication using the command emctl config auth. Tip#2: You do not need to pre-create or re-enter user account information when using LDAP for external authentication, enabling auto-provisioning and using external roles with auto-create user accounts. Tip#3: Use Global Preferred Credentials the best way to set Preferred Credentials for all users across many targets. Tip#4: Named Credentials can be shared between administrators performing a specific task by assigning the Named Credential to a Private Role then granting that role to your users. Tip#5: Use privilege propagating groups, aggregate target level privileges and Connect Target Read Only privilege to restrict developer access to production databases. Appendix Tip#6: Using Privilege Delegation bulk apply and deploy will allow you to efficiently standardize on your PDP settings across your datacenter. Tip#7: Use the Security Console to conveniently view security configuration information for your managed environment. 46

Appendix CON8243 - Enterprise Manager 12c Security Cookbook: Best Practices for Large Datacenters

How can I efficiently deploy my PDP settings to all the managed hosts in my data center? Default PDP templates can be applied to newly discovered host targets. For existing hosts - bulk apply and deploy can be used to efficiently standardize PDP settings across your data center. 48

Enterprise Manager : Privilege Delegation Allowing users to elevate to privileges of another user Privilege delegation allows a user to perform an activity with the privileges of another user E.g patching, provisioning, jobs etc Privilege Delegation tools supported are: Sudo PowerBroker A PDP template defines how privilege delegation is configured for a particular host, this information is needed when a PDP is deployed, it defines The host operating system The type of PDP being used on a particular host The command line format and switches expected from the PDP tool Templates to be applied to multiple hosts Default templates can be applied to newly discovered host targets. Prevents an Administrator applying PDP settings on a host per host basis Ensures a standard configuration on all hosts Particularly useful when many host targets have been simultaneously added to Enterprise Manager. 49

Enterprise Manager : Security Console and Entitlement page Putting it all together.. The Security Console and the Entitlement Page provide information on your security configuration and resources 50

Where can I get a consolidated view of all my security settings? Use the Security Console to conveniently view security configuration information for your managed environment. 51

Enterprise Manager : Security Console Convenient location for all security information Best Practices Recommendations such as encryption key removed from repository auditing operations turned on auditing externalization should be turned on Configuration information such as Who is currently logged on? Who are the most active users? Are there any unsecured agents? When will the certificates expire?

Enterprise Manager : Entitlement Page Convenient way to determine the privileges, roles and resources of a user

Enterprise Manager : Resources Security Console and Entitlement Page Benefits Central location for all security information related to your infrastructure Allowing administrator to view, optimize and analysis security information The Entitlement Page improves user management displaying privilege, role and resource information on a per user bases providing information on target access 54