Oracle Advanced Support Gateway Security Guide ® Part No: E40643-17 April 2017 Oracle Advanced Support Gateway Security Guide Part No: E40643-17 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle. Access to Oracle Support Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup? ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired. Référence: E40643-17 Copyright © 2017, Oracle et/ou ses affiliés. Tous droits réservés. Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation et de divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre, distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à toute ingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi. Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vous invite, le cas échéant, à lui en faire part par écrit. Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour le compte du Gouvernement des Etats-Unis, la notice suivante s'applique : U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à être utilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadre d'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dans des conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour des applications dangereuses. Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétaires qu'Oracle. Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marques déposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est une marque déposée de The Open Group. Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant de tiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipulée dans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou des dommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle. Accès aux services de support Oracle Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/ pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant. Contents Oracle Advanced Support Gateway Security Guide ........................................... 7 About the Oracle Advanced Support Gateway ...................................................... 7 General Requirements ...................................................................................... 8 Changes to the Security Guide Since the Last Release ........................................... 8 Firewall Port Requirements ............................................................................... 9 External Connection ....................................................................................... 10 TLS VPN and Oracle Advanced Support Gateway ...................................... 10 Alternative External Connection Option .................................................... 11 Controlling Remote VPN Access Using the Green Button Icon .............................. 12 Customer Access to the Gateway ..................................................................... 12 Internal Connection ....................................................................................... 12 Firewall Rules: Ports and Protocols .................................................................. 13 Firewall Rules for External Traffic ........................................................... 14 Firewall Rules for External Traffic Through the Encrypted VPN Tunnel .......... 16 Firewall Rules for Internal Traffic .................................................................... 17 Firewall Rules Between the Gateway and the Customer Network ................... 18 Firewall Rules for Gateway Hardware Self Monitoring ................................. 18 Firewall Rules Between the Gateway and Exadata ....................................... 19 Firewall Rules Between the Gateway and ZDLRA ...................................... 21 Firewall Rules Between the Gateway and ZFS ............................................ 23 Firewall Rules Between the Gateway and Exalogic ...................................... 25 Firewall Rules Between the Gateway and SuperCluster ................................ 27 Firewall Rules Between the Gateway and Exalytics ..................................... 30 Firewall Rules Between the Gateway and Oracle Database Appliance .............. 31 Firewall Rules Between the Gateway and Oracle Big Data Appliance .............. 32 Firewall Rules Between the Gateway and Oracle Cloud Machine ................... 34 Firewall Rules Between the Gateway and Exadata Cloud Machine .................. 39 Firewall Rules Between the Gateway and Oracle Standalone Hosts ................. 47 Firewall Rules Between the Gateway and Oracle Third-Party Hosts ................ 48 5 Contents Firewall Rules Between the Gateway and Hosts to be Monitored by ADS ......... 49 ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes .............. 50 Implementation Changes to a Customer System .................................................. 50 The Monitoring Matrix ........................................................................... 51 Implementation Impact on the Environment ............................................... 52 All Systems With An Agent Deployed ...................................................... 53 Engineered Systems ............................................................................... 54 Engineered System Cisco Switches ........................................................... 54 Engineered System Infiniband Switches .................................................... 55 Engineered System PDU's ....................................................................... 55 OVS Compute Nodes ............................................................................. 55 Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines ........................................................ 56 ZFS Storage Array Storage Heads ............................................................ 56 Pillar Axiom 600 Storage Arrays ............................................................. 57 Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems ............................................................................................... 57 Backout Plan ........................................................................................ 58 Server Prerequisites for Monitoring Deployment ................................................. 58 Monitoring Access: an Overview ............................................................. 58 User Privileges ...................................................................................... 59 Solaris 11 Initial Setup User RBAC Profile ................................................ 61 Solaris 10 Initial Setup User RBAC Profile ................................................ 63 Solaris sudo Profile ............................................................................... 63 Linux sudo Profile ................................................................................. 64 Storage Prerequisites for Monitoring Deployment ............................................... 65 Monitoring Deployment: an Overview ...................................................... 65 Oracle ZFS Storage Appliances ............................................................... 65 Audit Logging Feature ................................................................................... 67 Enabling and Disabling Logging Messages ................................................ 69 6 Oracle Advanced Support Gateway Security Guide • April 2017 Oracle Advanced Support Gateway Security Guide This document outlines the requirements for deploying the Oracle Advanced Support Gateway into the customer environment to support the delivery of certain Oracle remote services (hereafter referred to as Oracle Services.) The Oracle Advanced Support Gateway is an important part of the Oracle delivery architecture for Oracle Services and its placement must be carefully considered in order for Oracle to deliver Oracle Services. This document outlines network configuration options when integrating the Oracle Advanced Support Gateway device within the customer environment. To help explain these options, this document assumes a "simple" customer-side network topology. However, these options can extend to more complex network topologies. About the Oracle Advanced Support Gateway The Oracle Advanced Support Gateway is a multi-purpose platform designed to facilitate a number of Oracle Services including Oracle Platinum Services, Advanced Monitoring and Resolution, LifeCycle services, and Business Critical Service for Systems. The Oracle Advanced Support Gateway enables the simplification of network requirements and a single point of access for the provision and delivery of these services. The Gateway platform is based on the Oracle Linux operating system and hosts a full set of Oracle software stacks, including Automated Service Request (ASR), Oracle Enterprise Manager (12c or 13c), Oracle Configuration Manager (OCM), patch management (such as YUM services), and a suite of Java applications. Together, these applications aggregate and route telemetry messages from the customer environment to the Oracle Support Services infrastructure. The Oracle Advanced Support Gateway provides remote access for Oracle engineers to access the customer network (with customer permission) and to carry out approved actions on customers' monitored systems. Oracle Advanced Support Gateway Security Guide 7 General Requirements General Requirements There are a number of general requirements that are necessary for Oracle to deliver Oracle Services: ■ ■ ■ ■ ■ An Oracle Advanced Support Gateway must be provisioned into the customer's environment. All monitored systems must be network accessible from the Oracle Advanced Support Gateway. The monitored systems must be dedicated to the customer. Oracle will not be able to deliver services for monitored systems which are not exclusively owned and controlled by the customer. Oracle recommends a dedicated, physical server. The Gateway can be deployed in a VM instance running on a standalone Oracle Virtual Machine (OVM) server. No other virtualization technologies, for example, VMWare, are supported. Oracle must have access to certain ports and protocols (described below) in order to implement and deliver Oracle Services. The Oracle Advanced Support Gateway must be continuously accessible from the Oracle Support Platform using the secure protocols described below. However, the Oracle Advanced Support Gateway must not be directly exposed to the Internet. In order to expedite the implementation process, the customer will be required to provide high level network topology which should include: ■ ■ ■ ■ ■ IP numbering scheme Routing policy Locations of firewalls Locations of monitored systems Proposed location of Gateway Having this information enables Oracle to provide a recommendation regarding Oracle Advanced Support Gateway placement. Changes to the Security Guide Since the Last Release This section outlines the principal changes made to the Oracle Advanced Support Gateway Security Guide since the last release (E40643-16; March 2017). ■ 8 Incorrect IP addresses provided for the LDAP protocol in the firewall rules table for external traffic through the encrypted VPN tunnel have been updated. See “Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 16. Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Port Requirements ■ Updates have been made to the monitoring implementation for Virtual Exadata and Exalogic systems requiring new sudoers profiles for monitoring users. See “OVS Compute Nodes” on page 55 and “Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines” on page 56. Firewall Port Requirements The specifics of the Oracle Services network requirement depends on the customer network topology relative to the Oracle Services Support centers, the Oracle Advanced Support Gateway, and the monitored systems. The customer networks must be configured to permit traffic flow as shown in the diagram below. The firewall rules must be set up to allow traffic flow in two situations: ■ Between the Oracle Advanced Support Gateway and Oracle Services Support centers. This is referred to as the external connection. Note - A web proxy can be used to proxy the HTTPS traffic across the external connection. However, Oracle Advanced Support Gateway does not support NTLM or Kerberos proxy authentication. The Transport Layer Security (TLS) VPN traffic cannot be routed through a proxy server. Note - To defend against security attacks, you should never connect Oracle Advanced Support Gateway interfaces or the Oracle ILOM Service Processor to a public network, such as the Internet. The Gateway should never be exposed directly to the Internet without the protection of a customer firewall or Access Control List (ACL). You should keep the Oracle ILOM Service Processor management traffic on a separate management network and grant access only to system administrators. For further information, see the section on Securing the Physical Management Connection in the Oracle ILOM Security Guide. ■ Between the Oracle Advanced Support Gateway and the customer's monitored devices, through a customer-controlled firewall or other security devices. This is referred to as the internal connection. The diagram below depicts an example traffic flow between monitored systems and Oracle. (Detailed firewall rules and templates are provided to the customer during the implementation process.) Oracle Advanced Support Gateway Security Guide 9 External Connection FIGURE 1 High Level Traffic Flow and Firewall Requirement External Connection Oracle utilizes a combination of a VPN solution and TLS to secure communications between the Oracle Advanced Support Gateway, located within the customer's environment, and the Oracle Services Support center locations. The VPN is primarily used for tasks such as facilitating patching requirements from Oracle Services Support center locations to the Oracle Advanced Support Gateway and TLS is used for transporting the monitoring telemetry from the Oracle Advanced Support Gateway to the Oracle Services Support center locations. TLS VPN and Oracle Advanced Support Gateway The Oracle Advanced Support Gateway is configured with a software TLS-based VPN client. When the Gateway boots up, it opens an outbound connection to one of three Oracle Services Support centers, establishing a TLS VPN tunnel. At that point, this connection is used for inbound connectivity between the Oracle Services Support center and the Gateway. No inbound firewall port openings are required, as the initial connection is outbound. The Gateway is assigned a unique ID and password and connects to one of three Oracle VPN concentrators. The TLS-based VPN has the following features: ■ ■ ■ 10 Connection based on TLS 1.2, AES256 symmetric encryption to ensure traffic integrity and confidentiality Continuous VPN connection availability through the use of active/passive VPN cluster servers at the Oracle Services Support centers. Any hardware or software issues on the active VPN server failover all connections to the backup VPN. Disaster recovery processes that use multiple clusters around the world. Any connection issue with one of the Oracle Services Support centers failover client connections to the other Oracle Services Support centers. Oracle Advanced Support Gateway Security Guide • April 2017 External Connection FIGURE 2 A TLS-Based VPN Client Connection from Oracle Advanced Support Gateway to Oracle Note - The TLS VPN is the standard method for establishing the connection with Oracle. Alternative connection methods are available on an exception, customer-by-customer basis that is summarized in “Alternative External Connection Option” on page 11. If you wish to explore these options further, please contact your Oracle Implementation Manager. Alternative External Connection Option Oracle offers an alternate method for establishing a connection using IPSec. The connection is terminated on the customer's existing VPN hardware. This option generally requires an extended implementation cycle and is approved on an exception basis. If the customer chooses to use their existing VPN device (for example, firewall or VPN concentrator) as a termination point, the VPN overall requirements described above remain the same. The encryption domain requirements for this connection will create a more complex configuration. The requirements include, but are not limited to: ■ ■ ■ ■ A public IP per Gateway connection supplied by the customer for use inside the VPN encryption domain; Access to one /26 subnet and multiple /32 addresses inside the encryption domain; Allowing the ports and protocols listed in the table specifying firewall rules between the Gateway and Oracle standalone hosts in this guide (see “Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 47) to communicate across the VPN; Network Address Translation (NAT) between the host and the Oracle resources over the tunnel is not supported (the Gateway must communicate directly to the public IP addresses inside the Oracle VPN.) Oracle Advanced Support Gateway Security Guide 11 Controlling Remote VPN Access Using the Green Button Icon Controlling Remote VPN Access Using the Green Button Icon Oracle security policies require a VPN between Oracle and the customer so that Oracle can access the customer systems. The Oracle Advanced Support Gateway enables the customer to control remote access to enable and disable VPN connectivity with Oracle. The Remote Access icon, also referred to as the Green Button, is displayed in the utility menu on the top-right of the Gateway user interface. You can set the duration of a VPN session, toggle the icon to turn the remote access session on or off, or view a history of remote access control sessions. Note - Remote VPN Access ("Green Button") functionality is not available for all Oracle Connected Services. Please refer to your Oracle representative for further details. This feature is described in Oracle Advanced Support Gateway User's Guide. Customer Access to the Gateway After installation of the Oracle Advanced Support Gateway is complete, Oracle retains access to the Gateway and will require ongoing access to it for delivery of services (customer access to the Lights Out Management (LOM) section of the server is permitted.) Customer access is authorized only through the Customer Admin account which enables the use of the CLISH command line interface (CLI), and through the Gateway Web portal that the customer can access using a browser. This CLI exposes only those commands and configuration wizards that are intended for customer interaction and customization of the Gateway. Customers are not authorized to access the Gateway using any other user account or other CLIs (such as bash or sh). Customers should not modify or hack the Gateway to obtain access as other users (for example, root) and should not install any software agentry (monitoring or management) on the Gateway. To do so would represent unauthorized access to, or modification of, an Oracle managed system. Internal Connection Placing the Oracle Advanced Support Gateway in a customer's DMZ that is not directly exposed to the Internet is the recommended internal connection option. By placing the Oracle Advanced Support Gateway in a DMZ behind an Internet firewall, the customer has control of traffic traversing their internal networks and also of inbound connections from the Internet. 12 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules: Ports and Protocols Firewall Rules: Ports and Protocols This section provides information about the standard firewall port configurations necessary for the delivery of Oracle Services. Note - The final port and firewall requirements depend on the specific Engineered System being monitored by Oracle Services, the connectivity method chosen, and the actual customer network design. The following table outlines firewall port configurations and tables that provide information on monitoring requirements. Each table is associated with the services and systems which apply to it, for example, All Services means all remotely delivered services: Oracle Platinum Services, Oracle Advanced Monitoring and Resolution, and Oracle Advanced Database Services (ADS.) TABLE 1 Firewall Rules Tables, Other Monitoring Tables and Applicable Oracle Services and Systems Table Description Applicable Oracle Services/Systems “Firewall Rules for External Traffic” on page 14 All Oracle Services “Firewall Rules Between the Gateway and the Customer Network” on page 18 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules for Gateway Hardware Self Monitoring” on page 18 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Exadata” on page 19 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and ZDLRA” on page 21 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and ZFS” on page 23 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Exalogic” on page 25 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and SuperCluster” on page 27 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Exalytics” on page 30 ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Oracle Database Appliance” on page 31 ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Oracle Big Data Appliance” on page 32 ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Oracle Cloud Machine” on page 34 ■ Oracle Cloud Machine ■ Oracle Exadata Cloud Machine “Firewall Rules Between the Gateway and Exadata Cloud Machine” on page 39 ■ Oracle Exadata Cloud Machine Oracle Advanced Support Gateway Security Guide 13 Firewall Rules: Ports and Protocols Table Description Applicable Oracle Services/Systems “Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 47 ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Oracle Third-Party Hosts” on page 48 ■ Oracle Advanced Monitoring and Resolution “Firewall Rules Between the Gateway and Hosts to be Monitored by ADS” on page 49 ■ Oracle Advanced Database Support (ADS) “ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes” on page 50 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 16 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “The Monitoring Matrix” on page 51 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution “Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems ” on page 57 All Oracle Services “Restricted User for Monitoring Deployment (AKSH Shell)” on page 66 ■ Oracle Platinum Services ■ Oracle Advanced Monitoring and Resolution The firewall port configurations are divided into sections: ■ ■ ■ “Firewall Rules for External Traffic” on page 14 “Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 16 “Firewall Rules for Internal Traffic” on page 17 Firewall Rules for External Traffic Note - The source for all these entries is the Oracle Advanced Support Gateway. The rules in Table 2, “Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle Services Support Center,” on page 14 apply to all of Oracle's Connected Services. TABLE 2 Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle Services Support Center Destination Destination IP Address(es) Application Protocol Network Protocol/ Port Purpose adc-ps-ssl-vpn.oracle-occn.com 198.17.210.28 TLS VPN TCP/443 - TLS llg-ps-ssl-vpn.oracle-occn.com 141.143.215.68 To establish a TLS VPN connection* between Oracle and the Oracle Advanced Support Gateway. tokyo-ps-ssl-vpn.oracle-occn. com 140.83.95.28 14 Oracle Advanced Support Gateway Security Guide • April 2017 UDP/443 - DTLS (Datagram TLS) *Cannot support communication through an internet proxy. Firewall Rules: Ports and Protocols Destination Destination IP Address(es) Application Protocol Network Protocol/ Port Purpose Note - The IP addresses of the destination hostnames have changed, as follows: ■ 198.17.210.28 replaces 141.146.131.124 ■ 141.143.215.68 replaces 144.24.23.68 and 143.47.2.36 ■ 140.83.95.28 replaces 202.8.27.20 dts.oracle.com 192.206.43.1 HTTPS TCP/443 To securely transport monitoring data to Oracle. transport-adc.oracle.com 141.146.156.41 HTTPS TCP/443 To securely transport monitoring and other data to Oracle. ccr.oracle.com 141.146.54.49 HTTPS TCP/443 To upload the customer's configuration data to Oracle's centralized configuration repository. support.oracle.com 141.146.54.16 HTTPS TCP/443 To download patches onto the Oracle Advanced Support Gateway from My Oracle Support (MOS) via the Oracle Enterprise Manager (OEM) Cloud Control UI. login.oracle.com Note - Each hostname currently resolves to multiple working IP addresses. Access to all addresses listed must be permitted as Oracle will switch from one to another in the near future. 209.17.4.8 HTTPS TCP/443 To connect to Oracle's centralized authentication site. linux-update.oracle.com 137.254.56.42 HTTPS TCP/443 linux-update-adc.oracle.com 137.254.56.42 linux-update-ucf.oracle.com 156.151.58.24 To patch the Oracle Advanced Support Gateway and to download patches (from Unbreakable Linux Network servers) for customers who have patching services. updates.oracle.com 141.146.44.51 HTTPS TCP/443 To provide patch downloads via Oracle Enterprise Manager (OEM). acs-rac.oracle.com 129.157.65.44 HTTPS TCP/2056 When the Remote Access Control feature is active on the Oracle Advanced Support Gateway (that is, the "Green Button" is on), rsyslog is used to send audit logs to Oracle via a secured channel. ZFS Phone Home 129.157.65.13 ZFS Phone Home TCP/443 ZFS fault monitoring is shipped direct to these Oracle systems. 156.151.58.18 141.146.8.119 129.157.65.14 141.146.1.169 Oracle Advanced Support Gateway Security Guide 15 Firewall Rules: Ports and Protocols Destination Destination IP Address(es) Application Protocol Network Protocol/ Port Purpose Used when the Oracle Advanced Support Gateway hosts a proxy server for the ZFS Storage Heads. Firewall Rules for External Traffic Through the Encrypted VPN Tunnel If you use the Oracle-provided TLS VPN solution, the following table is informational only, illustrating the traffic transmitted over the VPN in support of the Oracle Advanced Support Gateway. If the alternative VPN solution is used, the following traffic must be allowed to communicate over the VPN. TABLE 3 Firewall Rules between the Oracle Advanced Support Gateway and the Oracle Data Center Using VPN Tunnel Source Destination Network Protocol/Port Purpose Oracle Advanced Support Gateway ■ 192.206.43.197/32 ■ 198.51.38.199/32 NTP (UDP/123) Network Time Protocol (NTP) Oracle Advanced Support Gateway ■ 192.206.43.194/32 ■ 198.51.38.197/32 Syslog (TCP/514) Oracle Advanced Support Gateway Syslog Oracle Advanced Support Gateway 198.51.38.194/32 HTTPS (TCP/8080,9898) Oracle Advanced Support Gateway file integrity monitoring 198.51.38.193/32 Oracle Advanced Support Gateway HTTPS (TCP/8080,9898) Oracle Advanced Support Gateway file integrity monitoring ■ 192.206.43.209/32 ■ 198.51.38.209/32 ■ 140.85.164.34/32 Oracle Advanced Support Gateway Security Scanner Oracle Advanced Support Gateway availability and security scanning ■ ■ ■ ■ ■ ■ ■ ■ ■ Oracle Advanced Support Gateway ■ ICMP (Types 8 & 0) ■ SSH (TCP/22) ■ HTTPS (TCP/443, 7799,9702) ■ SGD (TCP/5307) Management traffic to remotely manage Oracle Advanced Support Gateway and also facilitate remote access ■ 192.206.43.196/32 HTTPS (TCP/443) REST services for Oracle Advanced Support Gateway 198.51.37.1/32 193.188.5.1/32 140.83.88.1/32 140.83.88.129/32 140.83.89.1/32 141.146.155.40/32 141.146.155.41/32 192.206.43.208/32 198.51.38.208/32 Oracle Advanced Support Gateway 16 ■ TCP/UDP/1-65535 ■ ICMP (Types 8 & 0) Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Source Destination Network Protocol/Port Purpose LDAP (TCP/636) Oracle Advanced Support Gateway authentication (LDAP) ■ 198.51.38.198/32 Oracle Advanced Support Gateway ■ 192.206.43.193/32 ■ 198.51.38.196/32 Firewall Rules for Internal Traffic This section provides internal firewall rules tables for the customer network, Oracle Advanced Support Gateway hardware self monitoring, Exadata Database Machine (Exadata), Zero Data Loss Recovery Appliance, ZFS Storage Appliance Racked System, Exalogic Elastic Cloud (Exalogic), SuperCluster, Exalytics In-Memory Machine (Exalytics), Oracle Database Appliance, Oracle Big Data Appliance, Oracle Cloud Machine, Oracle Exadata Cloud Machine, and standalone hosts (both Oracle and third-party.) This section also provides an internal firewall rules table between the Gateway and the hosts to be monitored by Oracle Advanced Database Support (ADS). Finally, this section contains a table listing ASR Endpoint IP address changes that apply to the following: ZFS Storage Appliance Racked System, Exalogic, and SuperCluster. To see which of the following tables apply for Oracle Platinum Services, please see the Oraclecertified Platinum Services configurations on the Oracle Support website. Note - If communication between management interfaces (that are connected to the Cisco IP switch within the Engineered System) is separated by a firewall, Access Control List (ACL), or any form of network filtering, the firewall rules must allow communication between these interfaces. ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ “Firewall Rules Between the Gateway and the Customer Network” on page 18 “Firewall Rules for Gateway Hardware Self Monitoring” on page 18 “Firewall Rules Between the Gateway and Exadata” on page 19 “Firewall Rules Between the Gateway and ZDLRA” on page 21 “Firewall Rules Between the Gateway and ZFS” on page 23 “Firewall Rules Between the Gateway and Exalogic” on page 25 “Firewall Rules Between the Gateway and SuperCluster” on page 27 “Firewall Rules Between the Gateway and Exalytics” on page 30 “Firewall Rules Between the Gateway and Oracle Database Appliance” on page 31 “Firewall Rules Between the Gateway and Oracle Big Data Appliance” on page 32 “Firewall Rules Between the Gateway and Oracle Cloud Machine” on page 34 “Firewall Rules for the Exadata Rack” on page 46 Oracle Advanced Support Gateway Security Guide 17 Firewall Rules for Internal Traffic ■ ■ ■ ■ “Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 47 “Firewall Rules Between the Gateway and Oracle Third-Party Hosts” on page 48 “Firewall Rules Between the Gateway and Hosts to be Monitored by ADS” on page 49 “ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes” on page 50 Firewall Rules Between the Gateway and the Customer Network The ports outlined in this table are required for accessing the Oracle Advanced Support Gateway customer interfaces (command line and web interfaces) as well as ports required for integrating syslog and user management email notifications. TABLE 4 Firewall Rules Between the Gateway and the Customer Network Source Destination Network Protocol/Port Purpose Customer User Desktop/ Intranet Oracle Advanced Support Gateway ICMP Type 0 and 8 Optional: Used by customers to test connectivity to the Gateway from their internal networks. Oracle Advanced Support Gateway Customer default gateway on DMZ ICMP Type 0 and 8 Ping between the Gateway and the default router is temporarily used during installation of the Gateway to confirm network connectivity. Customer User Desktop/ Intranet Oracle Advanced Support Gateway TCP/22 Customer access to CLI for network and syslog configuration of the Gateway. Customer User Desktop/ Intranet Oracle Advanced Support Gateway HTTPS (TCP/443) Customer access to Portal interface for administration of the Gateway and access to services. Oracle Advanced Support Gateway Customer syslog server UDP/514 Rule required if the customer enables the Oracle Advanced Support Gateway Audit Logging feature. Firewall Rules for Gateway Hardware Self Monitoring This section provides an internal firewall rules table for Oracle Advanced Support Gateway hardware self monitoring. Note - This functionality is required only if the Gateway ILOM has been configured on a different network than the Gateway Ethernet network interfaces. 18 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic TABLE 5 Firewall Rules for Gateway Hardware Self Monitoring Source Destination Network Protocol/Port Purpose Bidirectional (Oracle Advanced Support Gateway ILOM and Oracle Advanced Support Gateway) Bidirectional (Oracle Advanced Support Gateway ILOM and Oracle Advanced Support Gateway) ICMP Type 0 and 8 Used to test bidirectional network connectivity Oracle Advanced Support Gateway ILOM Oracle Advanced Support Gateway SNMP (UDP/162) SNMP traps for ASR telemetry (Gateway hardware self monitoring) Oracle Advanced Support Gateway Oracle Advanced Support Gateway ILOM RCMP+ (UDP/623) Management and monitoring via ILOM interface (IPMI) Oracle Advanced Support Gateway Oracle Advanced Support Gateway ILOM SNMP (UDP/161) SNMP for ASR telemetry (Gateway hardware self monitoring) Oracle Advanced Support Gateway Oracle Advanced Support Gateway ILOM SSH (TCP/22) Management and configuration of ILOM Oracle Advanced Support Gateway Oracle Advanced Support Gateway ILOM ASR (TCP/6481) ASR for discovery and monitoring by service tags Oracle Advanced Support Gateway Oracle Advanced Support Gateway ILOM HTTPS (TCP/443) Monitoring configuration and fault diagnostic collection Firewall Rules Between the Gateway and Exadata This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Exadata Database Machine. TABLE 6 Firewall Rules Between the Gateway and Exadata Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems OEM Oracle Advanced Support Gateway DB Node and DomU TCP/18301839 OEM Agent communication; typically port 1830 is used for Oracle Services SNMP Oracle Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry PDU Cisco Switch Cell Node ILOM Oracle Advanced Support Gateway Security Guide 19 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose TCP/6481 ASR for discovery and monitoring by service tags TCP/443 Monitoring configuration and fault diagnostic collection TCP/80 (HTTP) PDU web interface for monitoring configuration and diagnostics Cell Node DB Node ILOM DB Node and DomU ASR Oracle Advanced Support Gateway Infiniband Cell Node Cell Node ILOM DB Node DB Node ILOM HTTPS Oracle Advanced Support Gateway Cell Node ILOM DB Node ILOM Infiniband HTTP/ HTTPS Oracle Advanced Support Gateway SSH Oracle Advanced Support Gateway PDU Note - In late Exadata X4-2 and X5-2 or above, the PDU Web interface can only be accessed using HTTPS (not HTTP.) Infiniband Or TCP/443 (HTTPS) TCP/22 Monitoring configuration, fault diagnostics and patching TCP/22 (SSH) Monitoring configuration, fault diagnostics and patching Cell Node Cell Node ILOM DB Node and DomU DB Node ILOM PDU SSH/Telnet Oracle Advanced Support Gateway Cisco Switch (older switches support only Telnet) Or TCP/23 (Telnet) SQL Oracle Advanced Support Gateway DB listener IP (VIP) Note - If a database is only listening on a Client/VIP, then access to this interface must also be allowed. DB listener port, default is TCP/1521 DB listener port for discovery and ongoing monitoring Note - This is not required for Platinum Services customers. RCMP+ Oracle Advanced Support Gateway Cell Node ILOM UDP/623 Management and monitoring via ILOM interface (IPMI) 20 DB Node ILOM Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose HTTPS (OEM Agent) DB Node and DomU Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Note - For Exadata, customers must add static routes to force all traffic with Oracle Advanced Support Gateway as its destination to use the Management Network as a primary interface for communication. The static route must be permanent because in the event of any restart of the nodes, the route will be deleted and communication between the agents and Oracle Advanced Support Gateway will go down. SNMP Infiniband Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring PDU Cisco Switch Cell Node ILOM Cell Node DB Node ILOM DB Node Firewall Rules Between the Gateway and ZDLRA This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Zero Data Loss Recovery Appliance (ZDLRA). TABLE 7 Firewall Rules Between the Gateway and Zero Data Loss Recovery Appliance Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems OEM Oracle Advanced Support Gateway Compute Node TCP/18301839 OEM Agent communication; typically port 1830 is used for Oracle Services Oracle Advanced Support Gateway Security Guide 21 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose SNMP Oracle Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry TCP/6481 ASR for discovery and monitoring by service tags TCP/443 Monitoring configuration and fault diagnostic collection TCP/80 (HTTP) PDU web interface for monitoring configuration and diagnostics PDU Cisco Switch Storage Node ILOM Storage Node Compute Node ILOM Compute Node ASR Oracle Advanced Support Gateway Infiniband Storage Node Storage Node ILOM Compute Node Compute Node ILOM HTTPS Oracle Advanced Support Gateway Storage Node ILOM Compute Node ILOM Infiniband HTTP/ HTTPS Oracle Advanced Support Gateway SSH Oracle Advanced Support Gateway PDU Note - In late Exadata X4-2 and X5-2 or above, the PDU Web interface can only be accessed using HTTPS (not HTTP.) Infiniband Or TCP/443 (HTTPS) TCP/22 Monitoring configuration, fault diagnostics and patching TCP/22 (SSH) Monitoring configuration, fault diagnostics and patching Storage Node Storage Node ILOM Compute Node Compute Node ILOM PDU SSH/Telnet Oracle Advanced Support Gateway Cisco Switch (older switches support only Telnet) Or TCP/23 (Telnet) 22 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose SQL Oracle Advanced Support Gateway DB listener IP (VIP) Note - If a database is only listening on a Client/VIP, then access to this interface must also be allowed) DB listener port, default is TCP/1521 DB listener port for discovery and ongoing monitoring RCMP+ Oracle Advanced Support Gateway Storage Node ILOM UDP/623 Management and monitoring via ILOM interface (IPMI) HTTPS (OEM Agent) Compute Node Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Note - For Zero Data Loss Recovery Appliance, customers must add static routes to force all traffic with Oracle Advanced Support Gateway as its destination to use the Management Network as a primary interface for communication. The static route must be permanent because in the event of any restart of the nodes, the route will be deleted and communication between the agents and Oracle Advanced Support Gateway will go down. SNMP Infiniband Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring PDU Compute Node ILOM Cisco Switch Storage Node ILOM Storage Node Compute Node ILOM Compute Node Firewall Rules Between the Gateway and ZFS This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle ZFS Storage Appliance Racked System (ZFS). Oracle Advanced Support Gateway Security Guide 23 Firewall Rules for Internal Traffic TABLE 8 Firewall Rules Between the Gateway and ZFS Storage Appliance Racked System Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SSH Oracle Advanced Support Gateway ZFS Storage Heads TCP/22 Monitoring configuration, fault diagnostics, and patching SSH Oracle Advanced Support Gateway PDU TCP/22 Monitoring configuration, fault diagnostics and patching HTTPS Oracle Advanced Support Gateway PDU TCP/443 (HTTPS) PDU web interface for monitoring configuration and diagnostics HTTPS Oracle Advanced Support Gateway ZFS ILOM TCP/443 Monitoring configuration and fault diagnostic collection HTTPS Oracle Advanced Support Gateway ZFS Storage Heads TCP/215 OEM plug-in communication to ZFS for monitoring SNMP Oracle Advanced Support Gateway PDU UDP/161 SNMP for ASR telemetry ZFS ILOM ZFS ILOM ZFS Storage Heads SNMP PDU Oracle Advanced Support Gateway UDP/162 SNMP for Monitoring Events RCMP+ Oracle Advanced Support Gateway ZFS ILOM UDP/623 Management and monitoring using the ILOM interface (IPMI) ZFS Phone Home ZFS Storage Heads asr-services.oracle.com TCP/443 or proxy port ZFS Phone Home can also support an internet proxy inv-cs.oracle.com Direct access or proxy to: transport.oracle.com 129.157.65.13 Or 129.157.65.14 Proxy IP 141.146.1.169 ZFS Phone Home ZFS Storage Heads Oracle Advanced Support Gateway TCP/8000 Gateway hosting a proxy server SSH ZFS Controllers Oracle Advanced Support Gateway TCP/22 Used to copy patches from the gateway to the ZFS arrays as SCP is available only to pull from a remote system to the ZFS array. 24 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle using port 443. Firewall Rules Between the Gateway and Exalogic This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Exalogic Elastic Cloud. TABLE 9 Firewall Rules Between the Gateway and Exalogic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems OEM Oracle Advanced Support Gateway Compute Node TCP/1830-1839 OEM Agent communication, typically 1830 is used for Oracle Services Oracle Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry TCP/6481 ASR for discovery and monitoring by service tags TCP/443 Monitoring configuration and fault diagnostic collection PDU TCP/80 (HTTP) X5-2 or above, the PDU Web Or PDU web interface for monitoring configuration and diagnostics SNMP Control VMs (virtual only) PDU Cisco Switch Compute Node Compute Node ILOM Virtual Instances ASR Oracle Advanced Support Gateway Compute Node Compute Node ILOM Infiniband HTTPS Oracle Advanced Support Gateway Compute Node ILOM Infiniband ZFS ILOM HTTP/HTTPS Oracle Advanced Support Gateway Note - In late Exalogic X4-2 and Oracle Advanced Support Gateway Security Guide 25 Firewall Rules for Internal Traffic Application Protocol SSH Source Interface(s) Oracle Advanced Support Gateway Destination Interface(s) Network Protocol/Port interface can only be accessed using HTTPS (not HTTP.) TCP/443 (HTTPS) Infiniband TCP/22 Monitoring configuration, fault diagnostics and patching TCP/22 (SSH) Monitoring configuration, fault diagnostics and patching Control VMs (virtual only) Purpose ZFS Storage Heads Compute Node ZFS ILOM Compute Node ILOM SSH/Telnet Oracle Advanced Support Gateway Cisco Switch (older switches support only Telnet) Or TCP/23 (Telnet) SQL Oracle Advanced Support Gateway Control VMs (Virtual only) Note - If a database is only listening on a Client/VIP access to this interface must also be allowed. DB listener port, default is TCP/1521 DB listener port for discovery and ongoing monitoring RCMP+ Oracle Advanced Support Gateway Compute Node ILOM UDP/623 Management and monitoring using the ILOM interface (IPMI) HTTPS Oracle Advanced Support Gateway Compute Node TCP/7001-7002 Monitoring install and diagnostics collection HTTPS - ZFS agent Oracle Advanced Support Gateway ZFS Storage Heads TCP/215 OEM plug-in communication to ZFS for monitoring HTTPS (OEM agent) Compute Node Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Note - For Exalogic, customers must add static routes to force all traffic with Oracle Advanced Support Gateway as its destination to use the Management Network as a primary interface for communication. The static route must be permanent because in the event of any restart of the nodes, the route will be deleted and communication between the agents and Oracle Advanced Support Gateway will go down. SNMP Infiniband Oracle Advanced Support Gateway UDP/162 SNMP for Monitoring Events Control VMs (virtual only) PDU ZFS ILOM Cisco Switch 26 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose Oracle Advanced Support Gateway TCP/5555 Solaris Explorer uploads for automatic uploads for events Oracle Advanced Support Gateway TCP/8234 ASR Assets to communicate with ASR Manager asr-services.oracle.com TCP/443 or proxy port ZFS Phone Home can also support an internet proxy Compute Node Compute Node ILOM HTTP Compute Node (Solaris) Zones HTTPS Compute Node (Solaris) Zones ZFS Phone Home ZFS Storage Heads inv-cs.oracle.com Direct access or proxy to: transport.oracle.com 129.157.65.13 Or 129.157.65.14 Proxy IP ZFS Phone Home ZFS Storage Heads 141.146.1.169 Oracle Advanced Support Gateway TCP/8000 Gateway hosting a proxy server Firewall Rules Between the Gateway and SuperCluster This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle SuperCluster. TABLE 10 Firewall Rules Between the Gateway and SuperCluster Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/ Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems OEM Oracle Advanced Support Gateway All Domains TCP/1830-1839 OEM agent communication, typically 1830 is used for Oracle Services Oracle Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry SNMP Zones based on monitoring service PDU Oracle Advanced Support Gateway Security Guide 27 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/ Port Purpose TCP/6481 ASR for discovery and monitoring by service tags TCP/443 Monitoring configuration and fault diagnostic collection Cisco Switch SPARC Server ILOMs (virtual/floating addresses as well as physical addresses) Primary Domains Cell Node Cell Node ILOM ASR Oracle Advanced Support Gateway Infiniband SPARC Server ILOMs (virtual/floating addresses as well as physical addresses) Primary Domains Cell Node Cell Node ILOM HTTPS Oracle Advanced Support Gateway SPARC Server ILOMs (virtual/floating addresses as well as physical addresses) Infiniband ZFS ILOM Cell Node ILOM HTTPS - ZFS agent Oracle Advanced Support Gateway ZFS Storage Heads TCP/215 OEM plug-in communication to ZFS for monitoring SSH Oracle Advanced Support Gateway Infiniband TCP/22 Monitoring configuration, fault diagnostics and patching ZFS Storage Heads ZFS ILOM SPARC Server ILOMs (Virtual/Floating addresses as well as Physical addresses) Cell Node ILOM Cell Node PDU All Domains Zones based on monitoring service 28 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/ Port Purpose HTTP/HTTPS Oracle Advanced Support Gateway PDU TCP/80 (HTTP) PDU web interface for monitoring configuration and diagnostics Or TCP/443 (HTTPS) SSH/Telnet Oracle Advanced Support Gateway Cisco Switch (older switches support only Telnet) Oracle Advanced Support Gateway Database domains/zones Oracle Advanced Support Gateway SPARC Server ILOMs (virtual/floating addresses as well as physical addresses) TCP/22 (SSH) Or Monitoring configuration, fault diagnostics and patching TCP/23 (Telnet) SQL RCMP+ Client/VIP Note - if a database is only listening on a Client/VIP, access to this interface must also be allowed. DB listener port, default is TCP/1521 DB listener port for discovery and ongoing monitoring Note - This is not required for Platinum Services customers. UDP/623 Management and monitoring using ILOM interface (IPMI) Cell Node ILOM ZFS ILOM WebLogic Oracle Advanced Support Gateway WebLogic instances TCP/7001-7002 Monitoring install and diagnostics collection HTTPS (OEM Agent) All Domains Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Note - For SuperCluster, customers must add static routes to force all traffic with Oracle Advanced Support Gateway as its destination to use the Management Network as a primary interface for communication. The static route must be permanent because in the event of any restart of the nodes, the route will be deleted and communication between the agents and Oracle Advanced Support Gateway will go down. SNMP Primary Domains Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events Zones based on monitoring service Infiniband PDU Cisco Switch Oracle Advanced Support Gateway Security Guide 29 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/ Port Purpose SPARC Server ILOMs (virtual/floating addresses as well as physical addresses) Cell Node Cell Node ILOM HTTP Primary Domains Oracle Advanced Support Gateway TCP/5555 Solaris Explorer uploads for automatic uploads for events HTTPS Primary Domains Oracle Advanced Support Gateway TCP/8234 ASR Manager to communicate with ASR Assets HTTPS Oracle Advanced Support Gateway SuperCluster Control Domain TCP/8000 Access to the IO Domain Creation Tool for Monitoring and log file collection ZFS Phone Home ZFS Storage Heads asr-services.oracle.com TCP/443 or proxy port ZFS Phone Home can also support an internet proxy inv-cs.oracle.com Direct access or proxy to: transport.oracle.com 129.157.65.13 Or 129.157.65.14 Proxy IP ZFS Phone Home ZFS Storage Heads Oracle Advanced Support Gateway 141.146.1.169 TCP/8000 Gateway hosting a proxy server Firewall Rules Between the Gateway and Exalytics This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Exalytics In-Memory Machine. TABLE 11 Firewall Rules Between the Gateway and Exalytics Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SNMP Oracle Advanced Support Gateway Exalytics and Exalytics ILOM UDP/161 SNMP for ASR telemetry 30 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ASR Oracle Advanced Support Gateway Exalytics and Exalytics ILOM TCP/6481 ASR for discovery and monitoring by service tags HTTPS Exalytics CDom Oracle Advanced Support Gateway TCP/8234 ASR Manager to communicate with ASR Assets OEM Oracle Advanced Support Gateway Exalytics Domains and DomU TCP/1830-1839 OEM Agent communication, typically 1830 is used for Oracle Services SSH Oracle Advanced Support Gateway Exalytics Domains, DomU, Dom0, and ILOM TCP/22 Monitoring configuration, fault diagnostics and patching SNMP Exalytics CDom and ILOM Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring HTTPS (OEM Agent) Exalytics Domains and DomU Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway RCMP+ Oracle Advanced Support Gateway Exalytics ILOM UDP/623 Management and monitoring via ILOM interface (IPMI) HTTPS Oracle Advanced Support Gateway Exalytics and Exalytics ILOM TCP/443 Monitoring configuration and fault diagnostic collection Firewall Rules Between the Gateway and Oracle Database Appliance This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Database Appliance. TABLE 12 Firewall Rules Between the Gateway and Oracle Database Appliance Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SNMP Oracle Advanced Support Gateway DB, Compute Node, and Compute Node ILOM UDP/161 SNMP for ASR telemetry ASR Oracle Advanced Support Gateway DB, Compute Node, and Compute Node ILOM TCP/6481 ASR for discovery and monitoring by service tags Oracle Advanced Support Gateway Security Guide 31 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose OEM Oracle Advanced Support Gateway DB, DomU, or Compute Node TCP/1830-1839 OEM Agent communication, typically 1830 is used for Oracle Services SSH Oracle Advanced Support Gateway DB, DomU, Compute Node, and Compute Node ILOM TCP/22 Monitoring configuration, fault diagnostics and patching SNMP DB, Compute Node, and Compute Node ILOM Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring HTTPS (OEM Agent) DB, DomU, and Compute Node Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway RCMP+ (IPMI) Oracle Advanced Support Gateway Compute Node ILOM UDP/623 Management and monitoring via ILOM interface (IPMI) HTTPS Oracle Advanced Support Gateway DB or Compute Node ILOM TCP/443 Monitoring configuration and fault diagnostic collection Firewall Rules Between the Gateway and Oracle Big Data Appliance This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Big Data Appliance. TABLE 13 Firewall Rules Between the Gateway and Oracle Big Data Appliance Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SNMP Oracle Advanced Support Gateway Infiniband UDP/161 SNMP for ASR telemetry TCP/6481 ASR for discovery and monitoring by service tags PDU Cisco Switch Compute Node ILOM DomU, or Compute Node ASR 32 Oracle Advanced Support Gateway Infiniband Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose TCP/1830-1839 OEM Agent communication, typically 1830 is used for Oracle Services TCP/22 Monitoring configuration, fault diagnostics and patching Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Compute Node Compute Node ILOM OEM Oracle Advanced Support Gateway DomU Or Compute Node SSH Oracle Advanced Support Gateway Infiniband DomU Compute Node ILOM PDU SNMP Infiniband PDU Cisco Switch Compute Node ILOM Compute Node HTTPS (OEM Agent) Compute Node DomU RCMP+ (IPMI) Oracle Advanced Support Gateway Compute Node ILOM UDP/623 Management and monitoring via ILOM interface (IPMI) HTTPS Oracle Advanced Support Gateway Compute Node ILOM TCP/443 Monitoring configuration and fault diagnostic collection SSH/Telnet Oracle Advanced Support Gateway Cisco Switch (older switches support only Telnet) TCP/22 (SSH) Monitoring configuration, fault diagnostics and patching Infiniband Or TCP/23 (Telnet) HTTP HTTP/HTTPS Oracle Advanced Support Gateway PDU Oracle Advanced Support Gateway Cloudera Manager TCP/80 (HTTP) TCP/443 (HTTPS) TCP/7180 (HTTP) Or TCP/7183 (HTTPS) PDU web interface for monitoring configuration and diagnostics Cloudera Manager web interface for monitoring configuration and diagnostics. The Cloudera Manager must be HTTPS or HTTP. The customer may change the default ports. Oracle Advanced Support Gateway Security Guide 33 Firewall Rules for Internal Traffic Firewall Rules Between the Gateway and Oracle Cloud Machine This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Cloud Machine (OCM). Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle using port 443 on OCM. TABLE 14 Firewall Rules Between the Gateway and Oracle Cloud Machine Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose ICMP ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Oracle Advanced Support Gateway Eth-Admin Used to test network connectivity between OCM systems and the Gateway Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Eth-Admin ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ Grill (cigrill) Oracle Advanced Support Gateway EoIB-Management Oracle Advanced Support Gateway ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ Grill (cigrill) EoIB-Management ICMP ICMP ICMP 34 Oracle Advanced Support Gateway Security Guide • April 2017 ICMP Type 8 ICMP Type 0 ICMP Type 8 ICMP Type 0 Used to test network connectivity between OCM systems and the Gateway Used to test network connectivity between OCM systems and the Gateway Used to test network connectivity between OCM systems and the Gateway Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose ICMP The following VMs: Oracle Advanced Support Gateway EoIB-OMS Used to test network connectivity between OCM systems and the Gateway Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) ICMP Type 0 Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) TCP/1830-1839 Oracle Advanced Support Gateway ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ grill (cigrill) EoIB- Management Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs Eth-Admin ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) ICMP OEM OEM ASR ICMP Type 8 TCP/1830-1839 TCP/6481 Used to test network connectivity between OCM systems and the Gateway OEM agent communication, typically 1830 is used for Oracle Services OEM agent communication, typically 1830 is used for Oracle Services ASR for discovery and monitoring by service tags Oracle Advanced Support Gateway Security Guide 35 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose Web interface for monitoring configuration and diagnostics ■ External ZFS Storage ILOMs HTTPS SSH SSH SSH SQL IPMI 36 Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs ■ External ZFS Storage ILOMs ■ PDU Eth-Admin Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Eth-Admin Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) TCP/22 Oracle Advanced Support Gateway ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ Grill (cigrill) EoIB-Management Oracle Advanced Support Gateway Infrastructure Database (cidb) VMs EoIB-OMS Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs Eth-Admin Oracle Advanced Support Gateway Security Guide • April 2017 TCP/443 TCP/22 TCP/22 DB listener port, default is TCP/1521 UDP/623 Monitoring configuration, fault diagnostics, and patching Monitoring configuration, fault diagnostics, and patching Monitoring configuration, fault diagnostics, and patching DB listener port for discovery and ongoing monitoring Management and monitoring using the ILOM interface (IPMI) Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose Oracle Advanced Support Gateway EoIB-OMS OEM agent communication to Oracle Advanced Support Gateway ■ External ZFS Storage ILOMs HTTPS (OEM Agent) The following VMs: HTTPS (OEM Agent) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ grill (cigrill) Oracle Advanced Support Gateway EoIB-Management HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway PaaS Management (cipsm) VMs EoIB-management HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway Service Deployment Infrastructure and Tenant Automation Solution (cisdi) VMs EoIB-OMS HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ Identity Management (cisim) ■ Integration Cloud Services (ics) ■ Messaging (msg-mcs) TCP/7001 HTTPS (Traffic Director Console) Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ External routing (cilbe) ■ Internal routing (cilbi) TCP/8989 HTTPS (PSM Traffic Director Console) Oracle Advanced Support Gateway PaaS Management (cipsm) VMs EoIB-Management HTTPS (IDM Admin) Oracle Advanced Support Gateway External routing (cilbe) VMs EoIB-OMS SNMP ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) Oracle Advanced Support Gateway Eth-Admin ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) TCP/1159 TCP/1159 TCP/7101,7103 TCP/7001,7003 TCP/8989 OEM agent communication to Oracle Advanced Support Gateway WebLogic application management WebLogic application management WebLogic application management Oracle Traffic Director management PSM Traffic Director management IDM administration TCP/6900,443,4443 UDP/162 SNMP for monitoring events Oracle Advanced Support Gateway Security Guide 37 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Eth-Admin SNMP event enrichment SNMP Compute nodes (cn) Oracle Advanced Support Gateway EoIB-Management SNMP Oracle Advanced Support Gateway Compute nodes (cn) EoIB-Management HTTPS Oracle Advanced Support Gateway ■ Compute Nodes (cn) ■ Host API Endpoint ■ Admin API Endpoint EoIB-Management TCP/443 Secure Web interface (hardware consoles, Identity Management console, API access) ■ Internal ZFS Storage Controllers ■ External ZFS Storage Controllers Oracle Advanced Support Gateway Eth-Admin Optional ZFS ASR proxy ■ Internal ZFS Storage Controllers ■ External ZFS Storage Controllers Oracle Advanced Support Gateway Eth-Admin Oracle Advanced Support Gateway ■ Internal ZFS Storage Controllers ■ External ZFS Storage Controllers Eth-Admin Privileged Control VMs (cipc) ■ External routing (cilbe) VMs ■ External routing VIP EoIB-Public Oracle Advanced Support Gateway ■ PaaS Management (cipsm) VMs ■ PaaS Management VIP Eth-Management ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches SNMP HTTPS SSH HTTP HTTPS HTTP 38 UDP/161 UDP/162 SNMP for monitoring events SNMP event enrichment UDP/161 Oracle Advanced Support Gateway Security Guide • April 2017 TCP/8000 Copying of patches TCP/22 ZFS management TCP/215 Service monitoring TCP/6900,443,4443 TCP/80 Service console validation Firewall Rules for Internal Traffic Firewall Rules Between the Gateway and Exadata Cloud Machine This section provides a number of tables showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM). Please refer to the following: ■ ■ ■ “Firewall Rules Between the Gateway and Exadata Cloud Machine” on page 39 “Firewall Rules Between the Gateway and Exadata Cloud Machine Components” on page 44 “Firewall Rules for the Exadata Rack” on page 46 Firewall Rules Between the Gateway and Exadata Cloud Machine This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM). Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle using port 443 on ExaCM. TABLE 15 Firewall Rules Between the Gateway and Exadata Cloud Machine Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose ICMP ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Oracle Advanced Support Gateway Eth-Admin Used to test network connectivity between ExaCM systems and the Gateway Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU Eth-Admin ICMP ICMP Type 8 ICMP Type 0 Used to test network connectivity between ExaCM systems and the Gateway Oracle Advanced Support Gateway Security Guide 39 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose Used to test network connectivity between ExaCM systems and the Gateway ■ Cisco switches ICMP ICMP ICMP ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ Grill (cigrill) Oracle Advanced Support Gateway EoIB-Management Oracle Advanced Support Gateway ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ Grill (cigrill) EoIB-Management The following VMs: Oracle Advanced Support Gateway EoIB-OMS Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) ICMP Type 0 Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ TCP/1830-1839 ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) ICMP OEM 40 Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) Oracle Advanced Support Gateway Security Guide • April 2017 ICMP Type 8 ICMP Type 0 ICMP Type 8 Used to test network connectivity between ExaCM systems and the Gateway Used to test network connectivity between ExaCM systems and the Gateway Used to test network connectivity between ExaCM systems and the Gateway OEM agent communication, typically 1830 is used for Oracle Services Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose OEM agent communication, typically 1830 is used for Oracle Services ■ Integration cloud services (ics) ■ Messaging (msg) OEM ASR HTTPS SSH SSH SSH Oracle Advanced Support Gateway ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ grill (cigrill) EoIB- Management Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs ■ External ZFS Storage ILOMs Eth-Admin Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs ■ External ZFS Storage ILOMs ■ PDU Eth-Admin Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Eth-Admin Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) TCP/22 Oracle Advanced Support Gateway ■ Compute nodes (cn) ■ Privileged Control VMs (cipc) EoIB-Management TCP/1830-1839 TCP/6481 TCP/443 TCP/22 TCP/22 ASR for discovery and monitoring by service tags Web interface for monitoring configuration and diagnostics Monitoring configuration, fault diagnostics, and patching Monitoring configuration, fault diagnostics, and patching Monitoring configuration, fault diagnostics, and patching Oracle Advanced Support Gateway Security Guide 41 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose DB listener port for discovery and ongoing monitoring ■ PaaS management (cipsm) ■ Grill (cigrill) SQL Oracle Advanced Support Gateway Infrastructure Database (cidb) VMs EoIB-OMS Oracle Advanced Support Gateway ■ Compute Node ILOMs ■ All Infiniband switches ■ Internal ZFS Storage ILOMs ■ External ZFS Storage ILOMs Eth-Admin HTTPS (OEM Agent) The following VMs: Oracle Advanced Support Gateway EoIB-OMS HTTPS (OEM Agent) ■ Privileged Control VMs (cipc) ■ PaaS management (cipsm) ■ grill (cigrill) Oracle Advanced Support Gateway EoIB-Management HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway PaaS management (cipsm) VMs EoIB-management HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway Service Deployment Infrastructure and Tenant Automation Solution (cisdi) VMs EoIB-OMS HTTPS (WebLogic Consoles) Oracle Advanced Support Gateway The following VMs: EoIB-OMS ■ Identity Management (cisim) ■ Integration Cloud Services (ics) ■ Messaging (msg-mcs) TCP/7001 HTTPS (Traffic Director Console) Oracle Advanced Support Gateway Oracle Traffic Director (cilbe, cilbi) VMs EoIB-OMS IPMI 42 ■ ■ ■ ■ Database (cidb) External routing (cilbe) Internal routing (cilbi) Service delivery infrastructure (cisdi) ■ Identity management (cisim) ■ Integration cloud services (ics) ■ Messaging (msg) Oracle Advanced Support Gateway Security Guide • April 2017 DB listener port, default is TCP/1521 UDP/623 TCP/1159 TCP/1159 TCP/7101, 7103 TCP/7001, 7003 Management and monitoring using the ILOM interface (IPMI) OEM agent communication to the Gateway OEM agent communication to the Gateway WebLogic application management WebLogic application management WebLogic application management Oracle Traffic Director management Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose TCP/8989 HTTPS (PSM Traffic Director Console) Oracle Advanced Support Gateway PaaS management (cipsm) VMs EoIB-Management HTTPS (IDM Admin) Oracle Advanced Support Gateway External routing (cilbe) VMs EoIB-OMS SNMP ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Oracle Advanced Support Gateway Eth-Admin Oracle Advanced Support Gateway ■ All Infiniband switches ■ Internal ZFS Storage Controllers (sn) ■ External ZFS Storage Controllers ■ Compute and Storage ILOMs (ilom) ■ PDU ■ Cisco switches Eth-Admin SNMP Compute nodes (cn) Oracle Advanced Support Gateway EoIB-Management SNMP Oracle Advanced Support Gateway Compute nodes (cn) EoIB-Management HTTPS Oracle Advanced Support Gateway ■ Compute Nodes (cn) ■ Host API Endpoint ■ Admin API Endpoint EoIB-Management TCP/443 Secure Web interface (hardware consoles, Identity Management console, API access) ■ Internal ZFS Storage Controllers ■ External ZFS Storage Controllers Oracle Advanced Support Gateway Eth-Admin Optional ZFS ASR proxy ■ Internal ZFS Storage Controllers ■ External ZFS Storage Controllers Oracle Advanced Support Gateway Eth-Admin Oracle Advanced Support Gateway ■ Internal ZFS Storage Controllers Eth-Admin SNMP HTTPS SSH HTTP TCP/8989 PSM Traffic Director management IDM administration TCP/6900, 443, 4443 UDP/162 SNMP for monitoring events SNMP event enrichment UDP/161 UDP/162 SNMP for monitoring events SNMP event enrichment UDP/161 TCP/8000 Copying of patches TCP/22 ZFS management Oracle Advanced Support Gateway Security Guide 43 Firewall Rules for Internal Traffic Application Protocol HTTPS HTTP Source Interface(s) Destination Interface(s) Network & Network Protocol/Port ■ External ZFS Storage Controllers TCP/215 Privileged Control VMs (cipc) ■ External routing (cilbe) VMs ■ External routing VIP EoIB-Public Oracle Advanced Support Gateway ■ PaaS management (cipsm) VMs ■ PaaS management VIP EoIB-Management Purpose Service monitoring TCP/6900,443,4443 Service console validation TCP/80 Firewall Rules Between the Gateway and Exadata Cloud Machine Components This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM) components. TABLE 16 Firewall Rules Between the Gateway and Exadata Cloud Machine Components Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose ICMP Exadata targets: Oracle Advanced Support Gateway Eth-Admin Used to test network connectivity between ExaCM systems and the Gateway Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ ■ ■ ■ ■ ■ ■ ICMP Type 0 Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ Exadata Storage ILOM ■ Compute node ILOMs UDP/623 ■ ■ ■ ■ ■ ■ ■ ICMP IPMI 44 Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Oracle Advanced Support Gateway Security Guide • April 2017 ICMP Type 8 Used to test network connectivity between ExaCM systems and the Gateway Management and monitoring using the ILOM interface (IPMI) Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose SSH Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ ■ ■ ■ ■ ■ ■ TCP/22 Monitoring configuration, fault diagnostics, and patching Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ ■ ■ ■ ■ TCP/6481 Exadata targets: Oracle Advanced Support Gateway Eth-Admin Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ ■ ■ ■ ■ ■ ■ UDP/161 Oracle Advanced Support Gateway Exadata targets: Eth-Admin ■ ■ ■ ■ ■ ■ TCP/443 Oracle Advanced Support Gateway Exadata Cloud Rest API (ECRA) VMs ASR SNMP ■ ■ ■ ■ ■ ■ ■ SNMP HTTPS SSH Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU UDP/162 EoIB-Management TCP/22 ASR for discovery and monitoring by service tags SNMP for monitoring events SNMP Event enrichment Monitoring configuration, fault diagnostics, and patching Monitoring configuration, fault diagnostics, and patching Oracle Advanced Support Gateway Security Guide 45 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose OEM Oracle Advanced Support Gateway Exadata Cloud Rest API (ECRA) VMs EoIB-Management OEM agent communication, typically 1830 is used for Oracle Services HTTPS (OEM agent) Exadata Cloud Rest API (ECRA) VMs Oracle Advanced Support Gateway EoIB-Management HTTPS (application monitoring) Oracle Advanced Support Gateway Exadata Cloud Rest API (ECRA) VMs EoIB-Management TCP/1830-1839 TCP/1159 TCP/7080, 8001, 9001 OEM agent communication to the Gateway Service monitoring and management Firewall Rules for the Exadata Rack This section provides a table showing the firewall rules for the Exadata rack, and is required if the Exadata rack is isolated from the Oracle Cloud Machine (OCM) and sits behind a firewall. TABLE 17 Firewall Rules for the Exadata Rack Application Protocol Source Interface(s) Destination Interface(s) Network & Network Protocol/Port Purpose SSH Exadata Cloud Rest API (ECRA) VMs Exadata targets: Eth-Admin Required for monitoring ■ ■ ■ ■ ■ ■ ■ TCP/22 HTTPS Exadata Cloud Rest API (ECRA) VMs PDU: IPMI Exadata Cloud Rest API (ECRA) VMs Exadata targets: Eth-Admin ■ Exadata Storage ILOM ■ Compute node ILOMs UDP/623 Exadata Storage Servers Exadata Cloud Rest API (ECRA) VMs Eth-Admin Exadata targets: Eth-Admin SNMP ICMP 46 Exadata Cloud Rest API (ECRA) VMs Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Eth-Admin PDU Monitoring TCP/443 Oracle Advanced Support Gateway Security Guide • April 2017 UDP/1830 EM hardware monitoring via ipmitool Exadata Storage Server alerts are forwarded to OEM plug-in Monitor network available for all Exadata targets Firewall Rules for Internal Traffic Application Protocol ICMP Source Interface(s) Exadata targets: ■ ■ ■ ■ ■ ■ ■ Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Destination Interface(s) Network & Network Protocol/Port ■ ■ ■ ■ ■ ■ ■ ICMP Type 0 Infiniband Exadata Storage Servers Exadata Storage ILOM Compute nodes Compute node ILOMs PDU Cisco switches Exadata Cloud Rest API (ECRA) VMs Eth-Admin Purpose Monitor network available for all Exadata targets ICMP Type 8 Firewall Rules Between the Gateway and Oracle Standalone Hosts This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle standalone hosts. TABLE 18 Firewall Rules Between the Gateway and Oracle Standalone Hosts Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SNMP Oracle Advanced Support Gateway Host UDP/161 SNMP for ASR telemetry OEM Oracle Advanced Support Gateway Host TCP/18301839 OEM agent communication, typically 1830 is used for Oracle Services ASR Oracle Advanced Support Gateway Host TCP/6481 ASR for discovery and monitoring by service tags Host ILOM (If Oracle Hardware) Host ILOM (If Oracle Hardware) Oracle Advanced Support Gateway Security Guide 47 Firewall Rules for Internal Traffic Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose SSH Oracle Advanced Support Gateway Host TCP/22 Monitoring configuration, fault diagnostics and patching Host Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring SNMP Host ILOM (If Oracle Hardware) Host ILOM (If Oracle Hardware) HTTPS (OEM Agent) Host Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway RCMP+ Oracle Advanced Support Gateway Host UDP/623 Management and monitoring using ILOM interface (IPMI) HTTPS Oracle Advanced Support Gateway Host TCP/443 Monitoring configuration and fault diagnostic collection HTTPS ZFS agent Oracle Advanced Support Gateway ZFS Storage Heads TCP/215 OEM plug-in communication to ZFS for monitoring HTTPS Primary Domain Oracle Advanced Support Gateway TCP/8234 ASR Manager to communicate with ASR Assets asr-services.oracle.com TCP/443 or proxy port ZFS Phone Home can also support an internet proxy Host ZFS Phone Home ZFS Storage Heads Host ILOM (If Oracle Hardware) Host ILOM (If Oracle Hardware) inv-cs.oracle.com Direct access or proxy to: transport.oracle.com ■ 129.157.65.13 ■ 129.157.65.14 ■ 141.146.1.169 Or Proxy IP ZFS Phone Home ZFS Storage Heads Oracle Advanced Support Gateway TCP/8000 Gateway hosting a proxy server Firewall Rules Between the Gateway and Oracle Third-Party Hosts This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and Oracle third-party hosts. Note - ILOMs on non-Oracle hardware can be monitored by Oracle Advanced Monitoring and Resolution. ILOMs on non-Oracle hardware cannot be monitored by Oracle Platinum Services or Oracle Auto Service Request (ASR). 48 Oracle Advanced Support Gateway Security Guide • April 2017 Firewall Rules for Internal Traffic TABLE 19 Firewall Rules Between the Gateway and Third-Party Standalone Hosts Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SNMP Oracle Advanced Support Gateway Host UDP/161 SNMP for ASR telemetry OEM Oracle Advanced Support Gateway Host TCP/18301839 OEM agent communication, typically 1830 is used for Oracle Services SSH Oracle Advanced Support Gateway Host TCP/22 SSH connection for implementation and ongoing support SNMP Host Oracle Advanced Support Gateway UDP/162 SNMP for monitoring events and/or network monitoring Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway Host ILOM (if Oracle hardware) HTTPS (OEM Agent) Host Host ILOM (if Oracle hardware) Firewall Rules Between the Gateway and Hosts to be Monitored by ADS This section provides a table showing the internal firewall rules between the Oracle Advanced Support Gateway and hosts to be monitored by Oracle Advanced Database Support (ADS). Note - Oracle Advanced Database Support (ADS), an Oracle service that offers database fault monitoring with automatic service request submission, database security compliance reporting, proactive database health checks, and remote patch deployment, may be added to Platinum and non-Platinum systems for a fee. TABLE 20 Firewall Rules Between the Gateway and Hosts to be Monitored by Oracle Advanced Database Support (ADS) Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP All monitored interfaces Oracle Advanced Support Gateway ICMP Type 0 and 8 Used to test network connectivity between customer systems and the Gateway Oracle Advanced Support Gateway Security Guide 49 Implementation Changes to a Customer System Application Protocol Source Interface(s) Destination Interface(s) Network Protocol/Port Purpose ICMP Oracle Advanced Support Gateway All monitored interfaces ICMP Type 0 and 8 Used to test network connectivity between the Gateway and customer systems SSH Oracle Advanced Support Gateway Host TCP/22 SSH connection for implementation and ongoing support SQL Oracle Advanced Support Gateway Host DB listener port, default is TCP/1521 DB listener port for discovery and ongoing monitoring Note - This is not required for Platinum Services customers. OEM Oracle Advanced Support Gateway Host TCP/18301839 OEM agent communication, typically 1830 is used for Oracle Services HTTPS (OEM Agent) Host Oracle Advanced Support Gateway TCP/1159 OEM agent communication to Oracle Advanced Support Gateway ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes This section provides a table showing ZFS Storage Appliance Racked System, Exalogic, and SuperCluster ASR Endpoint IP address changes. TABLE 21 ZFS Storage Appliance Racked System, Exalogic, and SuperCluster ASR Endpoint IP Address Changes Service Used By Old IP Address New IP Address inv-cs.oracle.com ZFS Storage Heads 192.18.110.10 129.157.65.14 192.18.110.13 129.157.65.13 Exalogic SuperCluster asr-services.oracle.com ZFS Storage Heads Exalogic SuperCluster Implementation Changes to a Customer System This section outlines the changes made to a customer's system during the implementation of Oracle Gateway Enabled services, including Platinum Services, Business Critical Service for Systems, Lifecycle Support Services, and Advanced Monitoring and Resolution. Oracle 50 Oracle Advanced Support Gateway Security Guide • April 2017 Implementation Changes to a Customer System Advanced Support Gateway runs Oracle Enterprise Manager Cloud Control to perform its monitoring. Oracle Enterprise Manager Cloud Control requires agents to be installed on hosts, and then uses various plug-ins to monitor those devices that cannot be monitored directly. This section describes the monitoring method for a device and the configuration to be performed. Refer to the following sections: ■ ■ ■ “The Monitoring Matrix” on page 51 “Implementation Impact on the Environment” on page 52 “Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems ” on page 57 The Monitoring Matrix This section provides a table of devices and shows how each device is monitored. TABLE 22 Devices and their Associated Monitoring Methods Device Monitor Component Cloud Control Agent Plug-in Target Type SNMP Trap ASR Engineered System Exadata Storage Cell No Oracle Exadata Storage Server Yes Yes Engineered System Cisco Switch No Oracle Engineered System Cisco Switch Yes No Engineered System Infiniband Switch No Oracle Infiniband Switch Yes No Engineered System PDU No Oracle Engineered System PDU Yes No Engineered System OVS Compute Node No Oracle Engineered System ILOM Server Yes Yes Engineered System ZFS Array Storage Heads No Oracle ZFS Appliance No Yes (configured by the customer) Exadata Database Node Yes Oracle Engineered System ILOM Server Yes Yes Yes Yes Oracle Virtual Platform Oracle Server Host Exalogic Physical Compute Node Yes Oracle Engineered System ILOM Server Oracle Advanced Support Gateway Security Guide 51 Implementation Changes to a Customer System Device Monitor Component Cloud Control Agent Plug-in Target Type SNMP Trap ASR Host Exalogic Exalogic Control VM Yes Host No No SuperCluster Control Domains Yes Oracle Engineered System ILOM Server Yes Yes SuperCluster Logical Domains Yes Yes No (covered by Control Domain) Yes Yes Host Standalone Server (including other Engineered System nodes and VMs, for example: ODA, BDA, Exalytics) Yes Standalone ZFS Array Storage Heads No Oracle ZFS Storage Appliance No Yes (configured by the customer) Axiom 600 No Oracle Axiom Yes Yes (Call Home Customer Configured) Oracle Engineered System ILOM Server (if Oracle hardware) Host Implementation Impact on the Environment The following sections describe the changes that are made to various types of system during the implementation process: ■ ■ ■ ■ ■ ■ ■ 52 Systems with an agent deployed. See “All Systems With An Agent Deployed” on page 53. Engineered System. See “Engineered Systems” on page 54 Engineered System Cisco Switch. See “Engineered System Cisco Switches” on page 54. Engineered System Infiniband Switches. See “Engineered System Infiniband Switches” on page 55. Engineered System PDU's. See “Engineered System PDU's” on page 55. OVS Compute Nodes. See “OVS Compute Nodes” on page 55. Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines. See “Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines” on page 56. Oracle Advanced Support Gateway Security Guide • April 2017 Implementation Changes to a Customer System ■ ■ ZFS Storage Array Storage Heads. See “ZFS Storage Array Storage Heads” on page 56. Pillar Axiom 600. See “Pillar Axiom 600 Storage Arrays” on page 57. All Systems With An Agent Deployed The following changes are made to every system on which an agent is deployed: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ An entry is added to the /etc/hosts file for Oracle Advanced Support Gateway A new group is created on the operating system (OS) of the monitored server. The default group name is orarom. A new user is created on the ILOM of the monitored server (if applicable). The default username is orarom. A new user is added on the operating system (OS) (orarom) of the monitored server. The new OS user is added to the group that owns the Oracle Inventory. A new user is added into the group that owns the database diag directories that are listed in the oratab file (required for monitoring databases and generating ADR packages) The Oracle Inventory directory is updated for group read/write permissions The Database diag directories are updated for group read/write permissions A directory (/opt/OracleHomes) is created for the agent information based on the information provided in the Service Implementation Worksheet (SIW). The SIW is a key part of the planning, execution, and successful implementation of Oracle Supported Services. If permission to retain root privileges is given in the configuration worksheet, the sudoers or RBAC files are updated to allow the new OS user to execute commands as root For Linux systems, the group of the /var/log/messages file is changed to the new group (orarom) if the group owner is root. This allows the agent user to be part of a group that can read the file and the group read permission is granted. The agent user can then monitor the messages file. If the messages file is already owned by a different group, the new user is added to that group instead. ■ ■ ■ ■ For Linux systems, the /etc/security/limits.conf file is updated to add the required settings for the new user (orarom) to meet the agent requirements. Agents are pushed from Oracle Advanced Support Gateway to the server using the new user. The storage requirement for the agent is initially around 5GB. Once the agents have been installed, the root.sh script for the agent is executed. Root.sh creates or updates /etc/oragchomelist, creates /etc/init.d/gcstartup, creates /etc/init.d/lockgcstartup, and creates /etc/init.d/lockgcstartup. For Solaris systems, the explorer tool may be scheduled to execute once per week at 11p PM on Sunday in root’s crontab. Oracle Advanced Support Gateway Security Guide 53 Implementation Changes to a Customer System ■ ■ For some Solaris systems, host-based fault telemetry is configured for ASR, either updating snmpd.conf or using asradm, and starting the required services. ILOMs are configured to send SNMP traps to Oracle Advanced Support Gateway for all ILOM detected faults of level minor or above for ASR. Note - For Exadata Nodes, the ILOM rules are configured on the operating system of the node using the Exadata CLIs (cellcli and dbmcli) rather than directly on the ILOM. Note - For Exalogic Virtual Machines, a further file is copied from the physical host to /var/ exalogic/info to define it as part of an Exalogic. Engineered Systems An Engineered System has strict policies not to allow the creation of new users or the deployment of agents on the OS. The changes that are made to these systems are performed in three stages: ■ ■ ■ ■ ■ Create a user on the ILOM of the system to allow Oracle to access the ILOM and the console of the system during troubleshooting. The default username is orarom. When the system is discovered by Oracle Enterprise Manager Cloud Control, it creates SSH keys from the monitoring user on the database node(s) to the cellmonitor user within the storage cell. Update the snmpsubscribers in the cell software to send the traps to Oracle Advanced Support Gateway for ASR. This removes any current subscribers that have a type of ASR. Update the notificationpolicy in the cell software to include "critical,warning,clear". Update the notificationmethod in the cell software to include snmp. Engineered System Cisco Switches The Cisco switch that is installed in the racks of an Engineered System is updated to send traps to Oracle Advanced Support Gateway, and the SNMP server is enabled to send traps. The community string is entered if not already set. 54 Oracle Advanced Support Gateway Security Guide • April 2017 Implementation Changes to a Customer System Engineered System Infiniband Switches The Infiniband switches that are installed in the racks of an Engineered System are updated to send traps to Oracle Advanced Support Gateway and a set of SSH keys is created to allow password-less login from the monitoring agent to the nm2user on the switch. The SSH keys for Exadata and SuperCluster systems are configured at discovery time. For the other systems, these are created manually by the installation engineer during the implementation prior to the target discoveries. Engineered System PDU's The PDU modules within the racks of an Engineered System are updated to send traps to Oracle Advanced Support Gateway, and the PDU thresholds are set to generate alerts based on the values from the Oracle Engineering teams. OVS Compute Nodes The Oracle Virtual Server operating system that is used within an Engineered System that is running the virtualized stack has strict policies that do not allow the installation of agents on to the systems. These nodes will have the ILOMs configured to send traps to the OASG for ASR. A user (orarom) will be created on the OVS Server and granted the following privileges in the sudoers file: <user> ALL=/usr/sbin/xentop, /usr/sbin/dmidecode, /sbin/ethtool, /usr/bin/ xenstore-ls, /usr/bin/xenstore-read, /usr/bin/xenstore-list, NOPASSWD: /usr/ sbin/xl, /usr/bin/ipmitool, /usr/sbin/xm, /usr/sbin/imageinfo This list of commands is used by the Oracle Virtual Platform and Oracle Server target types to read information about the system and relay the information to OEM. Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted. Oracle Advanced Support Gateway Security Guide 55 Implementation Changes to a Customer System Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines These types of system have limited storage space on the root filesystem. Installing an agent on the root filesystem is deemed to put this limited space at risk. The implementation for these systems creates a project on the internal ZFS storage array in the rack and creates a filesystem for each node or VM that has an agent installed. The installation on the node/VM will then perform the following: ■ Update the (v)fstab to ensure the filesystem is mounted from the ZFS storage array at boot time. Mount the filesystem on the required directory. Install and configure the Exalogic Lifecycle Toolkit, release 14.2. ■ Refer to the Exalogic Lifecycle Tools Note 1912063.1 on the My Oracle Support (MOS) website at: https://support.oracle.com/epmos/faces/DocumentDisplay? id=1912063.1. A user (orarom) will be granted the following privileges in the sudoers file: ■ ■ <user> ALL==/usr/sbin/dmidecode, /sbin/ethtool, NOPASSWD: /usr/bin/ ipmitool, /usr/sbin/imageinfo Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted. ZFS Storage Array Storage Heads The ZFS arrays are appliances that cannot have agents installed on them. Consequently, they are monitored from another agent using a specific monitoring user. The changes that are carried out on both of the storage heads in a cluster are as follows: ■ 56 Execute the workflow “Configure for Oracle Enterprise Manager”. This always has the recreateWorksheet setting enabled. If the oracle_agent user and role are already created, then the recreateUser setting is not enabled. Otherwise it is enabled. If the user is set to be recreated, the password used is a strong, randomly generated, 16-character password. Oracle Advanced Support Gateway Security Guide • April 2017 Implementation Changes to a Customer System Note - The customer can change the password on the oracle_agent user without affecting the Oracle monitoring solution. ■ ■ Create a new user for the Oracle monitoring solution using the role oracle_agent created by the above workflow. The default username is orarom, but the name is customizable from the Service Implementation Worksheet (SIW). Enable advanced_analytics for the new user created above. Pillar Axiom 600 Storage Arrays The Axiom 600 storage array is an appliance that cannot have an agent installed on it. Consequently, it is monitored from another agent using a plug-in. A new user is created with a Monitor role for the plug-in to perform the connection and obtain the information. The default username is orarom, but the name is customizable from the Service Implementation Worksheet (SIW). Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems Oracle's implementation is designed to be a low risk deployment using scripts to ensure consistent deployments across all customer implementations. Furthermore, the implementation is validated for monitoring within Oracle test systems. Oracle makes no changes to customer applications or files outside of the steps described in the relevant sections on impacts on the environment above. The table below outlines the utilization impact that OEM has on the monitored systems. TABLE 23 Utilization Impact of Oracle Enterprise Manager Cloud Control Agent on Monitored Systems Overhead Impact of the Oracle Tools in the Environment Metric OEM 12c CPU Utilization The OEM 12c Agent uses from 0.02% to 1% of CPU utilization. The agent may utilize more CPU cycles, depending on the number of processes or applications monitored. Memory Utilization The OEM 12c Agent needs from 1GB to 2GB RAM to operate correctly. Oracle Advanced Support Gateway Security Guide 57 Server Prerequisites for Monitoring Deployment Overhead Impact of the Oracle Tools in the Environment Metric OEM 12c The actual memory utilization of the agent varies depending on the number of processes or applications monitored. Disk Space Utilization The OEM agent requires at least 2GB of free disk space for the installation files. After installation is complete, the installation files are removed. The installed OEM agent requires about 1GB of space initially. As the agent operates, disk space gradually increases up to 5GB. Backout Plan If it is necessary for the installation to be rolled back, Oracle will:. ■ Shutdown the agents that have been configured; ■ Work with the customer to schedule a maintenance window to remove the agents and trap destinations for all the devices configured for monitoring. Server Prerequisites for Monitoring Deployment This section outlines the methods used to provide Oracle with the necessary server access for implementing monitoring on the Gateway. Refer to the following: ■ ■ ■ ■ ■ ■ “Monitoring Access: an Overview” on page 58. “User Privileges” on page 59 “Solaris 11 Initial Setup User RBAC Profile” on page 61 “Solaris 10 Initial Setup User RBAC Profile” on page 63 “Solaris sudo Profile” on page 63 “Linux sudo Profile” on page 64 Monitoring Access: an Overview In general, there are three methods for providing Oracle the necessary access for implementing monitoring: 58 Oracle Advanced Support Gateway Security Guide • April 2017 Server Prerequisites for Monitoring Deployment ■ ■ ■ Provide root access to all systems. Enable access using Role-based Access Control (RBAC). RBAC is a security feature for controlling user access to tasks that would normally be restricted to the root role. By applying security attributes to processes and to users, RBAC can divide superuser capabilities among several administrators. This option is applicable only to systems running the Solaris operating system. Provide access via sudo (superuser do). sudo is a program for operating systems such as Linux and Solaris that allows users to run programs as another user- normally as the system’s superuser (root) - as specified in the /etc/sudoers file. This section outlines the methods used to provide Oracle with the necessary access for implementing monitoring on the Gateway. User Privileges Oracle requires that the user can execute the following commands using root privileges: ■ <Service EM Base Directory>/agent_home/core/12.1.0.5.0/root.sh ■ <Service EM Base Directory>/agent_home/core/12.1.0.4.0/root.sh ■ /opt/exalytics/asr/bda_mon_hw_asr.pl (Exalytics only) ■ /opt/oracle/oak/bin/oakcli (Oracle Database Appliance only) ■ /opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl (Exadata only) ■ /opt/oracle.cellos/imageinfo (Exadata only) ■ /opt/exalogic/usr/sbin/imageinfo (Exalogic only) ■ /opt/oracle/dbserver/dbms/bin/dbmcli (Exadata and ZDLRA only) ■ /opt/oracle/bda/bin/imageinfo (Big Data only) ■ /opt/oracle/bda/bin/imageinfo (Big Data only) ■ /opt/ipmitool/bin/ipmitool (Solaris only) ■ /opt/ipmitool/sbin/ipmitool (Solaris only) ■ /usr/bin/chmod ■ /usr/bin/chown ■ /usr/bin/chgrp ■ /usr/bin/crontab (Solaris only) ■ /usr/bin/cp ■ /usr/bin/ex ■ /usr/bin/ipmitool ■ /usr/bin/grep Oracle Advanced Support Gateway Security Guide 59 Server Prerequisites for Monitoring Deployment ■ /usr/bin/ls ■ /usr/bin/mkdir ■ /usr/bin/rmdir ■ /usr/bin/passwd ■ /usr/bin/profiles (Solaris 11 only) ■ /usr/bin/vim ■ /usr/bin/xenstore-list ■ /usr/lib/fm/notify/asr-notify (Solaris 11 only) ■ /usr/sbin/dbmcli (Exadata and ZDLRA only) ■ /usr/sbin/dmidecode (Linux only) ■ /usr/sbin/groupadd ■ /usr/sbin/svcadm (Solaris only) ■ /usr/sbin/useradd ■ /usr/sbin/usermod ■ /usr/sbin/xm The user provided for the initial setup can be removed once the monitoring has been deployed and the agent user has been created. The agent user can be a user defined within a naming service and a home directory mounted from an NFS server. However, the agent installation directory must be unique to each server to be monitored. If the agent user is configured as part of a naming service, then the user must belong to the group that owns the Oracle inventory on all of the servers. The deployment scripts will verify and enforce group write permissions on any Oracle inventory directory that is discovered by using the /etc/oraInst.loc or the /var/ opt/oracle/oraInst.loc files. User Privileges for Exalogic Systems If the user is part of a naming service and NFS mounts are to be defined (Exalogic systems require NFS mounts), use NFSv4 rather than NFSv3. The configuration of NFSv4 is outside the scope of this service, but the new mounts are defined with the NFSv4 options, and the following extra command must be added to the security profile, depending on OS: ■ /usr/sbin/mount (Linux) ■ /sbin/mount (Solaris) Note - The command paths are related to Solaris. For the Linux paths, please refer to the sudo settings for Linux. 60 Oracle Advanced Support Gateway Security Guide • April 2017 Server Prerequisites for Monitoring Deployment Solaris 11 Initial Setup User RBAC Profile The user for the initial setup requires a profile built from the following configuration file: set add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add desc="ACS Service Profile" cmd=<Service EM Base>/agent_home/core/12.1.0.5.0/root.sh uid=0 cmd=<Service EM Base>/agent_home/core/12.1.0.4.0/root.sh uid=0 cmd=/opt/oracle.cellos/imageinfo uid=0 cmd=/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl uid=0 cmd=/opt/ipmitool/bin/ipmitool uid=0 cmd=/opt/ipmitool/sbin/ipmitool uid=0 cmd=/usr/bin/chmod uid=0 cmd=/usr/bin/chown uid=0 cmd=/usr/bin/chgrp uid=0 cmd=/usr/bin/crontab uid=0 cmd=/usr/bin/cp uid=0 cmd=/usr/bin/ex uid=0 cmd=/usr/bin/vim uid=0 cmd=/usr/bin/grep uid=0 cmd=/usr/bin/ls Oracle Advanced Support Gateway Security Guide 61 Server Prerequisites for Monitoring Deployment set end add set end add set end add set end add set end add set end add set end add set end add set end add set end add set end uid=0 cmd=/usr/sbin/groupadd uid=0 cmd=/usr/bin/mkdir uid=0 cmd=/usr/bin/rmdir uid=0 cmd=/usr/bin/passwd uid=0 cmd=/usr/bin/profiles uid=0 cmd=/usr/lib/fm/notify/asr-notify uid=0 cmd=/usr/sbin/svcadm uid=0 cmd=/usr/sbin/useradd uid=0 cmd=/usr/sbin/usermod uid=0 cmd=/opt/exalogic/usr/sbin/imageinfo uid=0 If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is configured by Oracle, and the user must also have the following command added to the profile: add cmd=/sbin/mount set uid=0 end To create the profile from the configuration file above, perform the following as root or as a user with permission to create new profiles: profiles -p <Profile name> -f <configuration file> usermod -P +<Profile name> <user> This provides the required level of access to perform the creation of the user and group directories, as well as setting the permissions on the Oracle inventory. 62 Oracle Advanced Support Gateway Security Guide • April 2017 Server Prerequisites for Monitoring Deployment Solaris 10 Initial Setup User RBAC Profile Solaris 10 RBAC configuration is controlled through files located in the /etc/security directory. Append the following lines to the exec_attr file: ACSSINITIAL:solaris:cmd:::<Service EM Base>/agent_home/core/12.1.0.5.0/root.sh:uid=0 ACSSINITIAL:solaris:cmd:::<Service EM Base>/agent_home/core/12.1.0.4.0/root.sh:uid=0 ACSSINITIAL:solaris:cmd:::/opt/ipmitool/bin/ipmitool:uid=0 ACSSINITIAL:solaris:cmd:::/opt/ipmitool/sbin/ipmitool:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/chmod:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/chown:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/chgrp:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/crontab:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/cp:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/ex:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/vim:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/grep:uid=0 ACSSINITIAL:solaris:cmd:::/usr/sbin/groupadd:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/ls:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/mkdir:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/rmdir:uid=0 ACSSINITIAL:solaris:cmd:::/usr/bin/passwd:uid=0 ACSSINITIAL:solaris:cmd:::/usr/sbin/svcadm:uid=0 ACSSINITIAL:solaris:cmd:::/usr/sbin/useradd:uid=0 ACSSINITIAL:solaris:cmd:::/usr/sbin/usermod:uid=0 If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is configured by Oracle, and the user must also have the following command added to the profile: ACSSINITIAL:solaris:cmd:::/sbin/mount:uid=0 Append the following line to the prof_attr file: ACSSINITIAL:::Oracle Install Profile: Once these entries have been added, update the user that will be used for the initial installation to allow access to the profile: usermod -P ACSSINITIAL <user> Solaris sudo Profile For Solaris users, add the following entries to the sudoers file: Oracle Advanced Support Gateway Security Guide 63 Server Prerequisites for Monitoring Deployment Cmnd_Alias ACSSINSTALL = /usr/bin/chmod, /usr/bin/chown, \ /usr/bin/chgrp, /usr/bin/crontab, /usr/bin/cp, \ /usr/bin/ex, /usr/bin/grep, /usr/sbin/groupadd, \ /usr/bin/ls, /usr/bin/mkdir, /usr/bin/passwd, \ /usr/bin/profiles, /usr/lib/fm/notify/asr-notify, \ /usr/bin/rmdir, /usr/sbin/svcadm,/usr/sbin/asradm, \ /usr/sbin/useradd, /usr/sbin/usermod, \ <ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\ <ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\ /opt/ipmitool/bin/ipmitool, /opt/ipmitool/sbin/ipmitool, \ /opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \ /opt/oracle.cellos/imageinfo, \ /opt/exalogic/usr/sbin/imageinfo <user> ALL=(ALL) ACSSINSTALL The user must also have the sudo binary in their path to allow it to execute without a full path. If the OEM agents are installed using an NFS mount that is to be configured by Oracle, then the user must also have the following command alias created as assigned to the user: Cmnd_Alias ACSSHAREDINSTALL = /sbin/mount <user> ALL=(ALL) ACSSHAREDINSTALL Linux sudo Profile For Linux users, add the following entries to the sudoers file: Cmnd_Alias 64 ACSSINSTALL = /bin/chmod, /bin/chown, \ /bin/chgrp, /bin/cp, /bin/ex, \ /bin/grep, /bin/ls, /bin/mkdir, /bin/rmdir, \ /opt/exalytics/asr/bda_mon_hw_asr.pl, \ /usr/bin/passwd, /usr/sbin/groupadd, \ /usr/sbin/useradd, /usr/sbin/usermod, \ /usr/bin/ipmitool, /usr/bin/xenstore-list, \ /opt/oracle/oak/oakcli, /usr/sbin/dmidecode, \ /opt/exalytics/asr/bda_mon_hw_asr.pl, \ <ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\ <ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\ /opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \ /opt/oracle.cellos/imageinfo, \ /opt/oracle/dbserver/dbms/bin/dbmcli, \ /opt/exalogic/usr/sbin/imageinfo, \ /usr/sbin/imageinfo, /usr/sbin/xm, \ /opt/oracle/bda/bin/imageinfo Oracle Advanced Support Gateway Security Guide • April 2017 Storage Prerequisites for Monitoring Deployment <user> ALL=(ALL) ACSSINSTALL The user must also have the sudo binary in their path to allow it to execute without a full path. If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is configured by Oracle, and the user must also have the following command added to the profile: Cmnd_Alias ACSSHAREDINSTALL = /bin/mount <user> ALL=(ALL) ACSSHAREDINSTALL Storage Prerequisites for Monitoring Deployment This section outlines storage requirements for the monitoring deployment. Refer to the following sections: ■ ■ “Monitoring Deployment: an Overview” on page 65 “Oracle ZFS Storage Appliances” on page 65 Monitoring Deployment: an Overview The storage systems do not have the same privilege promotion capabilities as the servers do; each storage system has a different method of granting access privileges. There are 3 options to provide Oracle with the necessary access for implementing monitoring: ■ ■ ■ Provide administrator access to the system. For some systems, create a user with the necessary privileges for Oracle to configure a new user for monitoring. Create the monitoring user per the system requirements. For information on which options are available for the various storage systems, refer to the following sections. Oracle ZFS Storage Appliances The information in the following sections defines the properties for the users used in the deployment of monitoring and the standard monitoring users. Further privileges are required for patching the systems during a patch cycle. Refer to the following sections: ■ ■ “Restricted User for Monitoring Deployment (AKSH Shell)” on page 66 “Monitoring User Requirements” on page 66 Oracle Advanced Support Gateway Security Guide 65 Storage Prerequisites for Monitoring Deployment ■ ■ “Restricted User for Monitoring Deployment User (ILOM)” on page 66 “Monitoring User Requirements (ILOM)” on page 67 Restricted User for Monitoring Deployment (AKSH Shell) You can create a user with the following privileges to be used during the monitoring deployment: TABLE 24 Privileges for a Restricted User for Monitoring Deployment Object Permissions worksheet.*.* modify stat.* ■ read ■ create user.* ■ ■ ■ ■ ■ workflow.*.* read role.* ■ changeAuths ■ changeDescription ■ create changePassword changePreferences changeProperties changeRoles create Monitoring User Requirements You can create the monitoring user using the following high level steps: ■ ■ ■ ■ ■ Execute the workflow outlined in the section “Configure for Oracle Enterprise Manager Monitoring”, ensuring to select creation of the worksheet. Create a new user for monitoring. Assign the oracle_agent role to this user. Set the preferences for the user to enable Advanced Analytics. Add the stat.* create authorization to the oracle_agent role. Restricted User for Monitoring Deployment User (ILOM) You can create a user with the role of u to allow Oracle to create a new user for use with the monitoring. 66 Oracle Advanced Support Gateway Security Guide • April 2017 Audit Logging Feature Monitoring User Requirements (ILOM) In order to provide monitoring and diagnostic collection on the ZFS ILOM, including initiating an NMI to the host, the monitoring user requires the permissions cro. Audit Logging Feature The Audit Logging Feature of the Oracle Advanced Support Gateway provides audit information for three different categories of system events. The three categories are: ■ ■ ■ Outbound Network Connections: The Linux firewall service (iptables) triggers notifications for all outbound network traffic with the exception of traffic to Oracle managed hosts used for monitoring and management (for example, Oracle VPN end points, dts.oracle.com, support.oracle.com). Outbound Login Activity: The Linux auditing service (auditd) triggers notifications for all outbound login attempts initiated from the Oracle Advanced Support Gateway. This is done by monitoring usage of the ssh and telnet system binaries. Oracle Advanced Support Gateway sends a message that ssh or telnet has been used, by which user, and when. The destination is not provided. auditd logs contain that information. auditd logs are not directly accessible by the customer on Oracle Advanced Support Gateway. Inbound Oracle Advanced Support Gateway User Login Activity: The Linux auditing service (auditd) triggers notifications each time any of the system logs used for tracking logins is updated. This includes failed logins and successful login attempts. It also triggers a notification each time a user logs in from a remote system. These activities are monitored using auditd and forwarded to the customer's central logging system. All audit notifications are delivered using standard syslog protocol. A central logging system must be provided to accept and process these messages. The format of most of these messages is based on auditd. They can be managed using various auditd and related utilities. The audit logging feature is disabled by default, and must be explicitly enabled through the Oracle Advanced Support Gateway command line interface (CLI). The details of how to configure this feature are explained in the following section: Initial Login Note - Outbound Network Connection logging can be enabled by Oracle staff for 3.7.3, 3.8, and 3.9 Gateways. Oracle Advanced Support Gateway Security Guide 67 Audit Logging Feature 1. Use ssh to connect to the Oracle Advanced Support Gateway. Use the customer administrator account configured at installation time or any other user with the customer administrator role. 2. At the first (CLI or CLISH) prompt, enter the password. 3. At the next prompt enter configure terminal. 4. At the next prompt enter syslog. You are now in the syslog-specific section of the Oracle Advanced Support Gateway CLI where you can configure forwarding. Available Commands Command Description help To display a list of available commands. ? To display a brief explanation of how to enter commands in the CLI. stat To display the current configuration. This produces a display similar to the following: ------------- SyslogBroadcaster Configuration -----------Message Forward Status = enabled Host IP Address = 1.2.3.4 Host Port Number = 514 Host Time Zone = GMT firewall Message Forward = enabled ssh Message Forward = enabled session Message Forward = enabled UID/GUID Mapping = enabled ----------------------------------------------------------- forward enable To enable syslog forwarding. forward disable To disable syslog forwarding. ip <ip address> To enter the IP address of the remote syslog server (the one receiving the forwarded messages). You must enter a valid IP address, not a host name. port <port #> To change the port used for forwarding syslog messages. timezone <value> To set the time zone used in the forwarded syslog messages. Value must be -12 to +12 which is the offset from GMT. mapping enable To convert the uid and guid contained in each message to the corresponding Unix user and group name. mapping disable 68 Oracle Advanced Support Gateway Security Guide • April 2017 Audit Logging Feature Enabling and Disabling Logging Messages The following paragraphs show the commands to enable and disable logging messages, and provide examples of the resulting messages. In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname). In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced with uid=0 and gid=0. Any combination of the following three categories can be enabled or disabled. Outbound Network Connectivity ■ To enable or disable this type of message forwarding: firewall enable firewall disable These messages are generated by iptables and represent all outbound network traffic with the exception of traffic to known addresses used for Oracle monitoring. The following example shows messages as they are seen on the system that receives the forwarded syslog messages. Result from an nslookup command: Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=jsmith GID=admin Result from an ssh command: Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=jsmith GID=admin Outbound Login Activity ■ To enable or disable this type of message forwarding: ssh enable ssh disable The following example shows a message as it is seen on the system that receives the forwarded syslog messages. Oracle Advanced Support Gateway Security Guide 69 Audit Logging Feature Result from an ssh command: Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1437567767.027:17839321): arch=c000003e syscall=59 success=yes exit=0 a0=124e030 a1=123d7f0 a2=1246d90 a3=10 items=2 ppid=22614 pid=25252 auid=54373 uid=jsmith gid=admin euid=54373 suid=54373 fsuid=54373 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="gateway_audit" Oracle Advanced Support Gateway User Login Activity ■ To enable or disable this type of message forwarding: session enable session disable The following examples show messages as they are seen on the system that receives the forwarded Syslog messages. Example of ssh being invoked on Oracle Advanced Support Gateway: Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes exit=0 a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2 ppid=1428 pid=12967 auid=4294967295 uid=jsmith gid=admin euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="SESSION" Result from an su command on Oracle Advanced Support Gateway: Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1 ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="SESSION" 70 Oracle Advanced Support Gateway Security Guide • April 2017
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement