Oracle® Advanced Support Gateway Security Guide

Oracle® Advanced Support Gateway Security Guide
Oracle Advanced Support Gateway
Security Guide
®
Part No: E40643-17
April 2017
Oracle Advanced Support Gateway Security Guide
Part No: E40643-17
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except
as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform,
publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,
delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the
hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous
applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all
appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of
SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered
trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are
not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement
between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,
products, or services, except as set forth in an applicable agreement between you and Oracle.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Référence: E40643-17
Copyright © 2017, Oracle et/ou ses affiliés. Tous droits réservés.
Ce logiciel et la documentation qui l'accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictions d'utilisation et
de divulgation. Sauf stipulation expresse de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, accorder de licence, transmettre,
distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il est interdit de procéder à toute
ingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d'interopérabilité avec des logiciels tiers ou tel que prescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu'elles soient exemptes d'erreurs et vous
invite, le cas échéant, à lui en faire part par écrit.
Si ce logiciel, ou la documentation qui l'accompagne, est livré sous licence au Gouvernement des Etats-Unis, ou à quiconque qui aurait souscrit la licence de ce logiciel pour le
compte du Gouvernement des Etats-Unis, la notice suivante s'applique :
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,
delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the
hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
Ce logiciel ou matériel a été développé pour un usage général dans le cadre d'applications de gestion des informations. Ce logiciel ou matériel n'est pas conçu ni n'est destiné à être
utilisé dans des applications à risque, notamment dans des applications pouvant causer un risque de dommages corporels. Si vous utilisez ce logiciel ou ce matériel dans le cadre
d'applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesures nécessaires à son utilisation dans
des conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causés par l'utilisation de ce logiciel ou matériel pour des
applications dangereuses.
Oracle et Java sont des marques déposées d'Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant à d'autres propriétaires
qu'Oracle.
Intel et Intel Xeon sont des marques ou des marques déposées d'Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou des marques
déposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d'Advanced Micro Devices. UNIX est une
marque déposée de The Open Group.
Ce logiciel ou matériel et la documentation qui l'accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des services émanant de
tiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers, sauf mention contraire stipulée
dans un contrat entre vous et Oracle. En aucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou des
dommages causés par l'accès à des contenus, produits ou services tiers, ou à leur utilisation, sauf mention contraire stipulée dans un contrat entre vous et Oracle.
Accès aux services de support Oracle
Les clients Oracle qui ont souscrit un contrat de support ont accès au support électronique via My Oracle Support. Pour plus d'informations, visitez le site http://www.oracle.com/
pls/topic/lookup?ctx=acc&id=info ou le site http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs si vous êtes malentendant.
Contents
Oracle Advanced Support Gateway Security Guide ........................................... 7
About the Oracle Advanced Support Gateway ...................................................... 7
General Requirements ...................................................................................... 8
Changes to the Security Guide Since the Last Release ........................................... 8
Firewall Port Requirements ............................................................................... 9
External Connection ....................................................................................... 10
TLS VPN and Oracle Advanced Support Gateway ...................................... 10
Alternative External Connection Option .................................................... 11
Controlling Remote VPN Access Using the Green Button Icon .............................. 12
Customer Access to the Gateway ..................................................................... 12
Internal Connection ....................................................................................... 12
Firewall Rules: Ports and Protocols .................................................................. 13
Firewall Rules for External Traffic ........................................................... 14
Firewall Rules for External Traffic Through the Encrypted VPN Tunnel .......... 16
Firewall Rules for Internal Traffic .................................................................... 17
Firewall Rules Between the Gateway and the Customer Network ................... 18
Firewall Rules for Gateway Hardware Self Monitoring ................................. 18
Firewall Rules Between the Gateway and Exadata ....................................... 19
Firewall Rules Between the Gateway and ZDLRA ...................................... 21
Firewall Rules Between the Gateway and ZFS ............................................ 23
Firewall Rules Between the Gateway and Exalogic ...................................... 25
Firewall Rules Between the Gateway and SuperCluster ................................ 27
Firewall Rules Between the Gateway and Exalytics ..................................... 30
Firewall Rules Between the Gateway and Oracle Database Appliance .............. 31
Firewall Rules Between the Gateway and Oracle Big Data Appliance .............. 32
Firewall Rules Between the Gateway and Oracle Cloud Machine ................... 34
Firewall Rules Between the Gateway and Exadata Cloud Machine .................. 39
Firewall Rules Between the Gateway and Oracle Standalone Hosts ................. 47
Firewall Rules Between the Gateway and Oracle Third-Party Hosts ................ 48
5
Contents
Firewall Rules Between the Gateway and Hosts to be Monitored by ADS ......... 49
ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes .............. 50
Implementation Changes to a Customer System .................................................. 50
The Monitoring Matrix ........................................................................... 51
Implementation Impact on the Environment ............................................... 52
All Systems With An Agent Deployed ...................................................... 53
Engineered Systems ............................................................................... 54
Engineered System Cisco Switches ........................................................... 54
Engineered System Infiniband Switches .................................................... 55
Engineered System PDU's ....................................................................... 55
OVS Compute Nodes ............................................................................. 55
Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual
Machines / Control Virtual Machines ........................................................ 56
ZFS Storage Array Storage Heads ............................................................ 56
Pillar Axiom 600 Storage Arrays ............................................................. 57
Utilization Impact Risk of OEM Cloud Control Agent on Monitored
Systems ............................................................................................... 57
Backout Plan ........................................................................................ 58
Server Prerequisites for Monitoring Deployment ................................................. 58
Monitoring Access: an Overview ............................................................. 58
User Privileges ...................................................................................... 59
Solaris 11 Initial Setup User RBAC Profile ................................................ 61
Solaris 10 Initial Setup User RBAC Profile ................................................ 63
Solaris sudo Profile ............................................................................... 63
Linux sudo Profile ................................................................................. 64
Storage Prerequisites for Monitoring Deployment ............................................... 65
Monitoring Deployment: an Overview ...................................................... 65
Oracle ZFS Storage Appliances ............................................................... 65
Audit Logging Feature ................................................................................... 67
Enabling and Disabling Logging Messages ................................................ 69
6
Oracle Advanced Support Gateway Security Guide • April 2017
Oracle Advanced Support Gateway Security
Guide
This document outlines the requirements for deploying the Oracle Advanced Support Gateway
into the customer environment to support the delivery of certain Oracle remote services
(hereafter referred to as Oracle Services.) The Oracle Advanced Support Gateway is an
important part of the Oracle delivery architecture for Oracle Services and its placement must
be carefully considered in order for Oracle to deliver Oracle Services. This document outlines
network configuration options when integrating the Oracle Advanced Support Gateway device
within the customer environment. To help explain these options, this document assumes a
"simple" customer-side network topology. However, these options can extend to more complex
network topologies.
About the Oracle Advanced Support Gateway
The Oracle Advanced Support Gateway is a multi-purpose platform designed to facilitate
a number of Oracle Services including Oracle Platinum Services, Advanced Monitoring
and Resolution, LifeCycle services, and Business Critical Service for Systems. The Oracle
Advanced Support Gateway enables the simplification of network requirements and a single
point of access for the provision and delivery of these services.
The Gateway platform is based on the Oracle Linux operating system and hosts a full set
of Oracle software stacks, including Automated Service Request (ASR), Oracle Enterprise
Manager (12c or 13c), Oracle Configuration Manager (OCM), patch management (such as
YUM services), and a suite of Java applications. Together, these applications aggregate and
route telemetry messages from the customer environment to the Oracle Support Services
infrastructure. The Oracle Advanced Support Gateway provides remote access for Oracle
engineers to access the customer network (with customer permission) and to carry out approved
actions on customers' monitored systems.
Oracle Advanced Support Gateway Security Guide
7
General Requirements
General Requirements
There are a number of general requirements that are necessary for Oracle to deliver Oracle
Services:
■
■
■
■
■
An Oracle Advanced Support Gateway must be provisioned into the customer's
environment.
All monitored systems must be network accessible from the Oracle Advanced Support
Gateway.
The monitored systems must be dedicated to the customer. Oracle will not be able to deliver
services for monitored systems which are not exclusively owned and controlled by the
customer. Oracle recommends a dedicated, physical server. The Gateway can be deployed
in a VM instance running on a standalone Oracle Virtual Machine (OVM) server. No other
virtualization technologies, for example, VMWare, are supported.
Oracle must have access to certain ports and protocols (described below) in order to
implement and deliver Oracle Services.
The Oracle Advanced Support Gateway must be continuously accessible from the Oracle
Support Platform using the secure protocols described below. However, the Oracle
Advanced Support Gateway must not be directly exposed to the Internet.
In order to expedite the implementation process, the customer will be required to provide high
level network topology which should include:
■
■
■
■
■
IP numbering scheme
Routing policy
Locations of firewalls
Locations of monitored systems
Proposed location of Gateway
Having this information enables Oracle to provide a recommendation regarding Oracle
Advanced Support Gateway placement.
Changes to the Security Guide Since the Last Release
This section outlines the principal changes made to the Oracle Advanced Support Gateway
Security Guide since the last release (E40643-16; March 2017).
■
8
Incorrect IP addresses provided for the LDAP protocol in the firewall rules table for
external traffic through the encrypted VPN tunnel have been updated. See “Firewall Rules
for External Traffic Through the Encrypted VPN Tunnel” on page 16.
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Port Requirements
■
Updates have been made to the monitoring implementation for Virtual Exadata and
Exalogic systems requiring new sudoers profiles for monitoring users. See “OVS Compute
Nodes” on page 55 and “Exalogic Compute Nodes (Physical Implementation) and
Exalogic Virtual Machines / Control Virtual Machines” on page 56.
Firewall Port Requirements
The specifics of the Oracle Services network requirement depends on the customer network
topology relative to the Oracle Services Support centers, the Oracle Advanced Support
Gateway, and the monitored systems. The customer networks must be configured to permit
traffic flow as shown in the diagram below.
The firewall rules must be set up to allow traffic flow in two situations:
■
Between the Oracle Advanced Support Gateway and Oracle Services Support centers. This
is referred to as the external connection.
Note - A web proxy can be used to proxy the HTTPS traffic across the external connection.
However, Oracle Advanced Support Gateway does not support NTLM or Kerberos proxy
authentication. The Transport Layer Security (TLS) VPN traffic cannot be routed through a
proxy server.
Note - To defend against security attacks, you should never connect Oracle Advanced
Support Gateway interfaces or the Oracle ILOM Service Processor to a public network,
such as the Internet. The Gateway should never be exposed directly to the Internet without
the protection of a customer firewall or Access Control List (ACL). You should keep the
Oracle ILOM Service Processor management traffic on a separate management network
and grant access only to system administrators. For further information, see the section on
Securing the Physical Management Connection in the Oracle ILOM Security Guide.
■
Between the Oracle Advanced Support Gateway and the customer's monitored devices,
through a customer-controlled firewall or other security devices. This is referred to as the
internal connection.
The diagram below depicts an example traffic flow between monitored systems and Oracle.
(Detailed firewall rules and templates are provided to the customer during the implementation
process.)
Oracle Advanced Support Gateway Security Guide
9
External Connection
FIGURE 1
High Level Traffic Flow and Firewall Requirement
External Connection
Oracle utilizes a combination of a VPN solution and TLS to secure communications between
the Oracle Advanced Support Gateway, located within the customer's environment, and
the Oracle Services Support center locations. The VPN is primarily used for tasks such as
facilitating patching requirements from Oracle Services Support center locations to the Oracle
Advanced Support Gateway and TLS is used for transporting the monitoring telemetry from the
Oracle Advanced Support Gateway to the Oracle Services Support center locations.
TLS VPN and Oracle Advanced Support Gateway
The Oracle Advanced Support Gateway is configured with a software TLS-based VPN client.
When the Gateway boots up, it opens an outbound connection to one of three Oracle Services
Support centers, establishing a TLS VPN tunnel. At that point, this connection is used for
inbound connectivity between the Oracle Services Support center and the Gateway. No inbound
firewall port openings are required, as the initial connection is outbound. The Gateway is
assigned a unique ID and password and connects to one of three Oracle VPN concentrators. The
TLS-based VPN has the following features:
■
■
■
10
Connection based on TLS 1.2, AES256 symmetric encryption to ensure traffic integrity and
confidentiality
Continuous VPN connection availability through the use of active/passive VPN cluster
servers at the Oracle Services Support centers. Any hardware or software issues on the
active VPN server failover all connections to the backup VPN.
Disaster recovery processes that use multiple clusters around the world. Any connection
issue with one of the Oracle Services Support centers failover client connections to the other
Oracle Services Support centers.
Oracle Advanced Support Gateway Security Guide • April 2017
External Connection
FIGURE 2
A TLS-Based VPN Client Connection from Oracle Advanced Support Gateway to
Oracle
Note - The TLS VPN is the standard method for establishing the connection with Oracle.
Alternative connection methods are available on an exception, customer-by-customer basis
that is summarized in “Alternative External Connection Option” on page 11. If you wish to
explore these options further, please contact your Oracle Implementation Manager.
Alternative External Connection Option
Oracle offers an alternate method for establishing a connection using IPSec. The connection
is terminated on the customer's existing VPN hardware. This option generally requires an
extended implementation cycle and is approved on an exception basis. If the customer chooses
to use their existing VPN device (for example, firewall or VPN concentrator) as a termination
point, the VPN overall requirements described above remain the same. The encryption domain
requirements for this connection will create a more complex configuration.
The requirements include, but are not limited to:
■
■
■
■
A public IP per Gateway connection supplied by the customer for use inside the VPN
encryption domain;
Access to one /26 subnet and multiple /32 addresses inside the encryption domain;
Allowing the ports and protocols listed in the table specifying firewall rules between
the Gateway and Oracle standalone hosts in this guide (see “Firewall Rules Between the
Gateway and Oracle Standalone Hosts” on page 47) to communicate across the VPN;
Network Address Translation (NAT) between the host and the Oracle resources over the
tunnel is not supported (the Gateway must communicate directly to the public IP addresses
inside the Oracle VPN.)
Oracle Advanced Support Gateway Security Guide
11
Controlling Remote VPN Access Using the Green Button Icon
Controlling Remote VPN Access Using the Green Button
Icon
Oracle security policies require a VPN between Oracle and the customer so that Oracle can
access the customer systems. The Oracle Advanced Support Gateway enables the customer to
control remote access to enable and disable VPN connectivity with Oracle. The Remote Access
icon, also referred to as the Green Button, is displayed in the utility menu on the top-right of the
Gateway user interface. You can set the duration of a VPN session, toggle the icon to turn the
remote access session on or off, or view a history of remote access control sessions.
Note - Remote VPN Access ("Green Button") functionality is not available for all Oracle
Connected Services. Please refer to your Oracle representative for further details.
This feature is described in Oracle Advanced Support Gateway User's Guide.
Customer Access to the Gateway
After installation of the Oracle Advanced Support Gateway is complete, Oracle retains access
to the Gateway and will require ongoing access to it for delivery of services (customer access
to the Lights Out Management (LOM) section of the server is permitted.) Customer access is
authorized only through the Customer Admin account which enables the use of the CLISH
command line interface (CLI), and through the Gateway Web portal that the customer can
access using a browser. This CLI exposes only those commands and configuration wizards
that are intended for customer interaction and customization of the Gateway. Customers are
not authorized to access the Gateway using any other user account or other CLIs (such as bash
or sh). Customers should not modify or hack the Gateway to obtain access as other users (for
example, root) and should not install any software agentry (monitoring or management) on
the Gateway. To do so would represent unauthorized access to, or modification of, an Oracle
managed system.
Internal Connection
Placing the Oracle Advanced Support Gateway in a customer's DMZ that is not directly
exposed to the Internet is the recommended internal connection option. By placing the Oracle
Advanced Support Gateway in a DMZ behind an Internet firewall, the customer has control of
traffic traversing their internal networks and also of inbound connections from the Internet.
12
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules: Ports and Protocols
Firewall Rules: Ports and Protocols
This section provides information about the standard firewall port configurations necessary for
the delivery of Oracle Services.
Note - The final port and firewall requirements depend on the specific Engineered System
being monitored by Oracle Services, the connectivity method chosen, and the actual customer
network design.
The following table outlines firewall port configurations and tables that provide information on
monitoring requirements. Each table is associated with the services and systems which apply to
it, for example, All Services means all remotely delivered services: Oracle Platinum Services,
Oracle Advanced Monitoring and Resolution, and Oracle Advanced Database Services (ADS.)
TABLE 1
Firewall Rules Tables, Other Monitoring Tables and Applicable Oracle Services and Systems
Table Description
Applicable Oracle Services/Systems
“Firewall Rules for External Traffic” on page 14
All Oracle Services
“Firewall Rules Between the Gateway and the Customer Network” on page 18
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules for Gateway Hardware Self Monitoring” on page 18
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exadata” on page 19
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and ZDLRA” on page 21
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and ZFS” on page 23
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exalogic” on page 25
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and SuperCluster” on page 27
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Exalytics” on page 30
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Database
Appliance” on page 31
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Big Data
Appliance” on page 32
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Cloud Machine” on page 34
■ Oracle Cloud Machine
■ Oracle Exadata Cloud Machine
“Firewall Rules Between the Gateway and Exadata Cloud
Machine” on page 39
■ Oracle Exadata Cloud Machine
Oracle Advanced Support Gateway Security Guide
13
Firewall Rules: Ports and Protocols
Table Description
Applicable Oracle Services/Systems
“Firewall Rules Between the Gateway and Oracle Standalone
Hosts” on page 47
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Oracle Third-Party
Hosts” on page 48
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules Between the Gateway and Hosts to be Monitored by
ADS” on page 49
■ Oracle Advanced Database Support (ADS)
“ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address
Changes” on page 50
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Firewall Rules for External Traffic Through the Encrypted VPN
Tunnel” on page 16
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“The Monitoring Matrix” on page 51
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
“Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems
” on page 57
All Oracle Services
“Restricted User for Monitoring Deployment (AKSH Shell)” on page 66
■ Oracle Platinum Services
■ Oracle Advanced Monitoring and Resolution
The firewall port configurations are divided into sections:
■
■
■
“Firewall Rules for External Traffic” on page 14
“Firewall Rules for External Traffic Through the Encrypted VPN Tunnel” on page 16
“Firewall Rules for Internal Traffic” on page 17
Firewall Rules for External Traffic
Note - The source for all these entries is the Oracle Advanced Support Gateway. The rules
in Table 2, “Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle
Services Support Center,” on page 14 apply to all of Oracle's Connected Services.
TABLE 2
Firewall Rules Between the Oracle Advanced Support Gateway and the Oracle Services Support Center
Destination
Destination IP
Address(es)
Application
Protocol
Network Protocol/
Port
Purpose
adc-ps-ssl-vpn.oracle-occn.com
198.17.210.28
TLS VPN
TCP/443 - TLS
llg-ps-ssl-vpn.oracle-occn.com
141.143.215.68
To establish a TLS VPN connection*
between Oracle and the Oracle
Advanced Support Gateway.
tokyo-ps-ssl-vpn.oracle-occn.
com
140.83.95.28
14
Oracle Advanced Support Gateway Security Guide • April 2017
UDP/443 - DTLS
(Datagram TLS)
*Cannot support communication
through an internet proxy.
Firewall Rules: Ports and Protocols
Destination
Destination IP
Address(es)
Application
Protocol
Network Protocol/
Port
Purpose
Note - The IP addresses of the
destination hostnames have changed,
as follows:
■ 198.17.210.28 replaces
141.146.131.124
■ 141.143.215.68 replaces
144.24.23.68 and 143.47.2.36
■ 140.83.95.28 replaces 202.8.27.20
dts.oracle.com
192.206.43.1
HTTPS
TCP/443
To securely transport monitoring data
to Oracle.
transport-adc.oracle.com
141.146.156.41
HTTPS
TCP/443
To securely transport monitoring and
other data to Oracle.
ccr.oracle.com
141.146.54.49
HTTPS
TCP/443
To upload the customer's configuration
data to Oracle's centralized
configuration repository.
support.oracle.com
141.146.54.16
HTTPS
TCP/443
To download patches onto the Oracle
Advanced Support Gateway from My
Oracle Support (MOS) via the Oracle
Enterprise Manager (OEM) Cloud
Control UI.
login.oracle.com
Note - Each hostname
currently resolves to multiple
working IP addresses. Access
to all addresses listed must be
permitted as Oracle will switch
from one to another in the near
future.
209.17.4.8
HTTPS
TCP/443
To connect to Oracle's centralized
authentication site.
linux-update.oracle.com
137.254.56.42
HTTPS
TCP/443
linux-update-adc.oracle.com
137.254.56.42
linux-update-ucf.oracle.com
156.151.58.24
To patch the Oracle Advanced Support
Gateway and to download patches
(from Unbreakable Linux Network
servers) for customers who have
patching services.
updates.oracle.com
141.146.44.51
HTTPS
TCP/443
To provide patch downloads via
Oracle Enterprise Manager (OEM).
acs-rac.oracle.com
129.157.65.44
HTTPS
TCP/2056
When the Remote Access Control
feature is active on the Oracle
Advanced Support Gateway (that is,
the "Green Button" is on), rsyslog is
used to send audit logs to Oracle via a
secured channel.
ZFS Phone Home
129.157.65.13
ZFS Phone
Home
TCP/443
ZFS fault monitoring is shipped direct
to these Oracle systems.
156.151.58.18
141.146.8.119
129.157.65.14
141.146.1.169
Oracle Advanced Support Gateway Security Guide
15
Firewall Rules: Ports and Protocols
Destination
Destination IP
Address(es)
Application
Protocol
Network Protocol/
Port
Purpose
Used when the Oracle Advanced
Support Gateway hosts a proxy server
for the ZFS Storage Heads.
Firewall Rules for External Traffic Through the
Encrypted VPN Tunnel
If you use the Oracle-provided TLS VPN solution, the following table is informational only,
illustrating the traffic transmitted over the VPN in support of the Oracle Advanced Support
Gateway. If the alternative VPN solution is used, the following traffic must be allowed to
communicate over the VPN.
TABLE 3
Firewall Rules between the Oracle Advanced Support Gateway and the Oracle Data Center Using VPN
Tunnel
Source
Destination
Network Protocol/Port
Purpose
Oracle Advanced Support
Gateway
■ 192.206.43.197/32
■ 198.51.38.199/32
NTP (UDP/123)
Network Time Protocol (NTP)
Oracle Advanced Support
Gateway
■ 192.206.43.194/32
■ 198.51.38.197/32
Syslog (TCP/514)
Oracle Advanced Support
Gateway Syslog
Oracle Advanced Support
Gateway
198.51.38.194/32
HTTPS (TCP/8080,9898)
Oracle Advanced Support
Gateway file integrity
monitoring
198.51.38.193/32
Oracle Advanced Support
Gateway
HTTPS (TCP/8080,9898)
Oracle Advanced Support
Gateway file integrity
monitoring
■ 192.206.43.209/32
■ 198.51.38.209/32
■ 140.85.164.34/32
Oracle Advanced Support
Gateway
Security Scanner
Oracle Advanced Support
Gateway availability and
security scanning
■
■
■
■
■
■
■
■
■
Oracle Advanced Support
Gateway
■ ICMP (Types 8 & 0)
■ SSH (TCP/22)
■ HTTPS (TCP/443,
7799,9702)
■ SGD (TCP/5307)
Management traffic to remotely
manage Oracle Advanced
Support Gateway and also
facilitate remote access
■ 192.206.43.196/32
HTTPS (TCP/443)
REST services for Oracle
Advanced Support Gateway
198.51.37.1/32
193.188.5.1/32
140.83.88.1/32
140.83.88.129/32
140.83.89.1/32
141.146.155.40/32
141.146.155.41/32
192.206.43.208/32
198.51.38.208/32
Oracle Advanced Support
Gateway
16
■ TCP/UDP/1-65535
■ ICMP (Types 8 & 0)
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Source
Destination
Network Protocol/Port
Purpose
LDAP (TCP/636)
Oracle Advanced Support
Gateway authentication
(LDAP)
■ 198.51.38.198/32
Oracle Advanced Support
Gateway
■ 192.206.43.193/32
■ 198.51.38.196/32
Firewall Rules for Internal Traffic
This section provides internal firewall rules tables for the customer network, Oracle Advanced
Support Gateway hardware self monitoring, Exadata Database Machine (Exadata), Zero
Data Loss Recovery Appliance, ZFS Storage Appliance Racked System, Exalogic Elastic
Cloud (Exalogic), SuperCluster, Exalytics In-Memory Machine (Exalytics), Oracle Database
Appliance, Oracle Big Data Appliance, Oracle Cloud Machine, Oracle Exadata Cloud Machine,
and standalone hosts (both Oracle and third-party.)
This section also provides an internal firewall rules table between the Gateway and the hosts
to be monitored by Oracle Advanced Database Support (ADS). Finally, this section contains
a table listing ASR Endpoint IP address changes that apply to the following: ZFS Storage
Appliance Racked System, Exalogic, and SuperCluster.
To see which of the following tables apply for Oracle Platinum Services, please see the Oraclecertified Platinum Services configurations on the Oracle Support website.
Note - If communication between management interfaces (that are connected to the Cisco IP
switch within the Engineered System) is separated by a firewall, Access Control List (ACL),
or any form of network filtering, the firewall rules must allow communication between these
interfaces.
■
■
■
■
■
■
■
■
■
■
■
■
“Firewall Rules Between the Gateway and the Customer Network” on page 18
“Firewall Rules for Gateway Hardware Self Monitoring” on page 18
“Firewall Rules Between the Gateway and Exadata” on page 19
“Firewall Rules Between the Gateway and ZDLRA” on page 21
“Firewall Rules Between the Gateway and ZFS” on page 23
“Firewall Rules Between the Gateway and Exalogic” on page 25
“Firewall Rules Between the Gateway and SuperCluster” on page 27
“Firewall Rules Between the Gateway and Exalytics” on page 30
“Firewall Rules Between the Gateway and Oracle Database Appliance” on page 31
“Firewall Rules Between the Gateway and Oracle Big Data Appliance” on page 32
“Firewall Rules Between the Gateway and Oracle Cloud Machine” on page 34
“Firewall Rules for the Exadata Rack” on page 46
Oracle Advanced Support Gateway Security Guide
17
Firewall Rules for Internal Traffic
■
■
■
■
“Firewall Rules Between the Gateway and Oracle Standalone Hosts” on page 47
“Firewall Rules Between the Gateway and Oracle Third-Party Hosts” on page 48
“Firewall Rules Between the Gateway and Hosts to be Monitored by ADS” on page 49
“ZFS, Exalogic, and SuperCluster ASR Endpoint IP Address Changes” on page 50
Firewall Rules Between the Gateway and the
Customer Network
The ports outlined in this table are required for accessing the Oracle Advanced Support
Gateway customer interfaces (command line and web interfaces) as well as ports required for
integrating syslog and user management email notifications.
TABLE 4
Firewall Rules Between the Gateway and the Customer Network
Source
Destination
Network Protocol/Port
Purpose
Customer User Desktop/
Intranet
Oracle Advanced Support
Gateway
ICMP Type 0 and 8
Optional: Used by customers to test
connectivity to the Gateway from their
internal networks.
Oracle Advanced Support
Gateway
Customer default gateway on
DMZ
ICMP Type 0 and 8
Ping between the Gateway and the default
router is temporarily used during installation
of the Gateway to confirm network
connectivity.
Customer User Desktop/
Intranet
Oracle Advanced Support
Gateway
TCP/22
Customer access to CLI for network and
syslog configuration of the Gateway.
Customer User Desktop/
Intranet
Oracle Advanced Support
Gateway
HTTPS (TCP/443)
Customer access to Portal interface for
administration of the Gateway and access to
services.
Oracle Advanced Support
Gateway
Customer syslog server
UDP/514
Rule required if the customer enables the
Oracle Advanced Support Gateway Audit
Logging feature.
Firewall Rules for Gateway Hardware Self
Monitoring
This section provides an internal firewall rules table for Oracle Advanced Support Gateway
hardware self monitoring.
Note - This functionality is required only if the Gateway ILOM has been configured on a
different network than the Gateway Ethernet network interfaces.
18
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
TABLE 5
Firewall Rules for Gateway Hardware Self Monitoring
Source
Destination
Network Protocol/Port
Purpose
Bidirectional (Oracle
Advanced Support
Gateway ILOM and
Oracle Advanced Support
Gateway)
Bidirectional (Oracle
Advanced Support Gateway
ILOM and Oracle Advanced
Support Gateway)
ICMP Type 0 and 8
Used to test bidirectional network
connectivity
Oracle Advanced Support
Gateway ILOM
Oracle Advanced Support
Gateway
SNMP (UDP/162)
SNMP traps for ASR telemetry (Gateway
hardware self monitoring)
Oracle Advanced Support
Gateway
Oracle Advanced Support
Gateway ILOM
RCMP+ (UDP/623)
Management and monitoring via ILOM
interface (IPMI)
Oracle Advanced Support
Gateway
Oracle Advanced Support
Gateway ILOM
SNMP (UDP/161)
SNMP for ASR telemetry (Gateway
hardware self monitoring)
Oracle Advanced Support
Gateway
Oracle Advanced Support
Gateway ILOM
SSH (TCP/22)
Management and configuration of ILOM
Oracle Advanced Support
Gateway
Oracle Advanced Support
Gateway ILOM
ASR (TCP/6481)
ASR for discovery and monitoring by
service tags
Oracle Advanced Support
Gateway
Oracle Advanced Support
Gateway ILOM
HTTPS (TCP/443)
Monitoring configuration and fault
diagnostic collection
Firewall Rules Between the Gateway and Exadata
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Exadata Database Machine.
TABLE 6
Firewall Rules Between the Gateway and Exadata
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
OEM
Oracle Advanced Support
Gateway
DB Node and DomU
TCP/18301839
OEM Agent communication;
typically port 1830 is used for
Oracle Services
SNMP
Oracle Advanced Support
Gateway
Infiniband
UDP/161
SNMP for ASR telemetry
PDU
Cisco Switch
Cell Node ILOM
Oracle Advanced Support Gateway Security Guide
19
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
TCP/6481
ASR for discovery and monitoring
by service tags
TCP/443
Monitoring configuration and fault
diagnostic collection
TCP/80
(HTTP)
PDU web interface for monitoring
configuration and diagnostics
Cell Node
DB Node ILOM
DB Node and DomU
ASR
Oracle Advanced Support
Gateway
Infiniband
Cell Node
Cell Node ILOM
DB Node
DB Node ILOM
HTTPS
Oracle Advanced Support
Gateway
Cell Node ILOM
DB Node ILOM
Infiniband
HTTP/
HTTPS
Oracle Advanced Support
Gateway
SSH
Oracle Advanced Support
Gateway
PDU
Note - In late Exadata X4-2 and
X5-2 or above, the PDU Web
interface can only be accessed
using HTTPS (not HTTP.)
Infiniband
Or
TCP/443
(HTTPS)
TCP/22
Monitoring configuration, fault
diagnostics and patching
TCP/22 (SSH)
Monitoring configuration, fault
diagnostics and patching
Cell Node
Cell Node ILOM
DB Node and DomU
DB Node ILOM
PDU
SSH/Telnet
Oracle Advanced Support
Gateway
Cisco Switch (older switches
support only Telnet)
Or
TCP/23
(Telnet)
SQL
Oracle Advanced Support
Gateway
DB listener IP (VIP)
Note - If a database is only
listening on a Client/VIP, then
access to this interface must also
be allowed.
DB listener
port, default is
TCP/1521
DB listener port for discovery and
ongoing monitoring
Note - This is not required for
Platinum Services customers.
RCMP+
Oracle Advanced Support
Gateway
Cell Node ILOM
UDP/623
Management and monitoring via
ILOM interface (IPMI)
20
DB Node ILOM
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
HTTPS
(OEM
Agent)
DB Node and DomU
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
Note - For Exadata, customers must
add static routes to force all traffic
with Oracle Advanced Support
Gateway as its destination to use the
Management Network as a primary
interface for communication. The
static route must be permanent
because in the event of any restart
of the nodes, the route will be
deleted and communication between
the agents and Oracle Advanced
Support Gateway will go down.
SNMP
Infiniband
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events and/or
network monitoring
PDU
Cisco Switch
Cell Node ILOM
Cell Node
DB Node ILOM
DB Node
Firewall Rules Between the Gateway and ZDLRA
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Zero Data Loss Recovery Appliance (ZDLRA).
TABLE 7
Firewall Rules Between the Gateway and Zero Data Loss Recovery Appliance
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
OEM
Oracle Advanced Support
Gateway
Compute Node
TCP/18301839
OEM Agent communication;
typically port 1830 is used for
Oracle Services
Oracle Advanced Support Gateway Security Guide
21
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
SNMP
Oracle Advanced Support
Gateway
Infiniband
UDP/161
SNMP for ASR telemetry
TCP/6481
ASR for discovery and monitoring
by service tags
TCP/443
Monitoring configuration and fault
diagnostic collection
TCP/80
(HTTP)
PDU web interface for monitoring
configuration and diagnostics
PDU
Cisco Switch
Storage Node ILOM
Storage Node
Compute Node ILOM
Compute Node
ASR
Oracle Advanced Support
Gateway
Infiniband
Storage Node
Storage Node ILOM
Compute Node
Compute Node ILOM
HTTPS
Oracle Advanced Support
Gateway
Storage Node ILOM
Compute Node ILOM
Infiniband
HTTP/
HTTPS
Oracle Advanced Support
Gateway
SSH
Oracle Advanced Support
Gateway
PDU
Note - In late Exadata X4-2 and
X5-2 or above, the PDU Web
interface can only be accessed
using HTTPS (not HTTP.)
Infiniband
Or
TCP/443
(HTTPS)
TCP/22
Monitoring configuration, fault
diagnostics and patching
TCP/22 (SSH)
Monitoring configuration, fault
diagnostics and patching
Storage Node
Storage Node ILOM
Compute Node
Compute Node ILOM
PDU
SSH/Telnet
Oracle Advanced Support
Gateway
Cisco Switch (older switches
support only Telnet)
Or
TCP/23
(Telnet)
22
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
SQL
Oracle Advanced Support
Gateway
DB listener IP (VIP)
Note - If a database is only
listening on a Client/VIP, then
access to this interface must also
be allowed)
DB listener
port, default is
TCP/1521
DB listener port for discovery and
ongoing monitoring
RCMP+
Oracle Advanced Support
Gateway
Storage Node ILOM
UDP/623
Management and monitoring via
ILOM interface (IPMI)
HTTPS
(OEM
Agent)
Compute Node
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
Note - For Zero Data Loss
Recovery Appliance, customers
must add static routes to force
all traffic with Oracle Advanced
Support Gateway as its destination
to use the Management Network
as a primary interface for
communication. The static route
must be permanent because in
the event of any restart of the
nodes, the route will be deleted and
communication between the agents
and Oracle Advanced Support
Gateway will go down.
SNMP
Infiniband
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events and/or
network monitoring
PDU
Compute Node ILOM
Cisco Switch
Storage Node ILOM
Storage Node
Compute Node ILOM
Compute Node
Firewall Rules Between the Gateway and ZFS
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle ZFS Storage Appliance Racked System (ZFS).
Oracle Advanced Support Gateway Security Guide
23
Firewall Rules for Internal Traffic
TABLE 8
Firewall Rules Between the Gateway and ZFS Storage Appliance Racked System
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
SSH
Oracle Advanced Support
Gateway
ZFS Storage Heads
TCP/22
Monitoring configuration, fault
diagnostics, and patching
SSH
Oracle Advanced Support
Gateway
PDU
TCP/22
Monitoring configuration, fault
diagnostics and patching
HTTPS
Oracle Advanced Support
Gateway
PDU
TCP/443
(HTTPS)
PDU web interface for monitoring
configuration and diagnostics
HTTPS
Oracle Advanced Support
Gateway
ZFS ILOM
TCP/443
Monitoring configuration and fault
diagnostic collection
HTTPS
Oracle Advanced Support
Gateway
ZFS Storage Heads
TCP/215
OEM plug-in communication to ZFS
for monitoring
SNMP
Oracle Advanced Support
Gateway
PDU
UDP/161
SNMP for ASR telemetry
ZFS ILOM
ZFS ILOM
ZFS Storage Heads
SNMP
PDU
Oracle Advanced Support
Gateway
UDP/162
SNMP for Monitoring Events
RCMP+
Oracle Advanced Support
Gateway
ZFS ILOM
UDP/623
Management and monitoring using
the ILOM interface (IPMI)
ZFS Phone
Home
ZFS Storage Heads
asr-services.oracle.com
TCP/443 or
proxy port
ZFS Phone Home can also support
an internet proxy
inv-cs.oracle.com
Direct access or proxy to:
transport.oracle.com
129.157.65.13
Or
129.157.65.14
Proxy IP
141.146.1.169
ZFS Phone
Home
ZFS Storage Heads
Oracle Advanced Support
Gateway
TCP/8000
Gateway hosting a proxy server
SSH
ZFS Controllers
Oracle Advanced Support
Gateway
TCP/22
Used to copy patches from the
gateway to the ZFS arrays as SCP is
available only to pull from a remote
system to the ZFS array.
24
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle
using port 443.
Firewall Rules Between the Gateway and Exalogic
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Exalogic Elastic Cloud.
TABLE 9
Firewall Rules Between the Gateway and Exalogic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and
customer systems
OEM
Oracle Advanced Support
Gateway
Compute Node
TCP/1830-1839
OEM Agent communication,
typically 1830 is used for Oracle
Services
Oracle Advanced Support
Gateway
Infiniband
UDP/161
SNMP for ASR telemetry
TCP/6481
ASR for discovery and monitoring
by service tags
TCP/443
Monitoring configuration and fault
diagnostic collection
PDU
TCP/80 (HTTP)
X5-2 or above, the PDU Web
Or
PDU web interface for monitoring
configuration and diagnostics
SNMP
Control VMs (virtual only)
PDU
Cisco Switch
Compute Node
Compute Node ILOM
Virtual Instances
ASR
Oracle Advanced Support
Gateway
Compute Node
Compute Node ILOM
Infiniband
HTTPS
Oracle Advanced Support
Gateway
Compute Node ILOM
Infiniband
ZFS ILOM
HTTP/HTTPS
Oracle Advanced Support
Gateway
Note - In late Exalogic X4-2 and
Oracle Advanced Support Gateway Security Guide
25
Firewall Rules for Internal Traffic
Application
Protocol
SSH
Source Interface(s)
Oracle Advanced Support
Gateway
Destination Interface(s)
Network
Protocol/Port
interface can only be accessed
using HTTPS (not HTTP.)
TCP/443
(HTTPS)
Infiniband
TCP/22
Monitoring configuration, fault
diagnostics and patching
TCP/22 (SSH)
Monitoring configuration, fault
diagnostics and patching
Control VMs (virtual only)
Purpose
ZFS Storage Heads
Compute Node
ZFS ILOM
Compute Node ILOM
SSH/Telnet
Oracle Advanced Support
Gateway
Cisco Switch (older switches
support only Telnet)
Or
TCP/23 (Telnet)
SQL
Oracle Advanced Support
Gateway
Control VMs (Virtual only)
Note - If a database is only
listening on a Client/VIP access
to this interface must also be
allowed.
DB listener
port, default is
TCP/1521
DB listener port for discovery and
ongoing monitoring
RCMP+
Oracle Advanced Support
Gateway
Compute Node ILOM
UDP/623
Management and monitoring using
the ILOM interface (IPMI)
HTTPS
Oracle Advanced Support
Gateway
Compute Node
TCP/7001-7002
Monitoring install and diagnostics
collection
HTTPS - ZFS
agent
Oracle Advanced Support
Gateway
ZFS Storage Heads
TCP/215
OEM plug-in communication to
ZFS for monitoring
HTTPS (OEM
agent)
Compute Node
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
Note - For Exalogic, customers
must add static routes to force
all traffic with Oracle Advanced
Support Gateway as its destination
to use the Management Network
as a primary interface for
communication. The static route
must be permanent because in
the event of any restart of the
nodes, the route will be deleted and
communication between the agents
and Oracle Advanced Support
Gateway will go down.
SNMP
Infiniband
Oracle Advanced Support
Gateway
UDP/162
SNMP for Monitoring Events
Control VMs (virtual only)
PDU
ZFS ILOM
Cisco Switch
26
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
Oracle Advanced Support
Gateway
TCP/5555
Solaris Explorer uploads for
automatic uploads for events
Oracle Advanced Support
Gateway
TCP/8234
ASR Assets to communicate with
ASR Manager
asr-services.oracle.com
TCP/443 or
proxy port
ZFS Phone Home can also support
an internet proxy
Compute Node
Compute Node ILOM
HTTP
Compute Node (Solaris)
Zones
HTTPS
Compute Node (Solaris)
Zones
ZFS Phone
Home
ZFS Storage Heads
inv-cs.oracle.com
Direct access or proxy to:
transport.oracle.com
129.157.65.13
Or
129.157.65.14
Proxy IP
ZFS Phone
Home
ZFS Storage Heads
141.146.1.169
Oracle Advanced Support
Gateway
TCP/8000
Gateway hosting a proxy server
Firewall Rules Between the Gateway and
SuperCluster
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle SuperCluster.
TABLE 10
Firewall Rules Between the Gateway and SuperCluster
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/
Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0 and 8
Used to test network
connectivity between customer
systems and the Gateway
ICMP
Oracle Advanced
Support Gateway
All monitored interfaces
ICMP Type 0 and 8
Used to test network
connectivity between the
Gateway and customer systems
OEM
Oracle Advanced
Support Gateway
All Domains
TCP/1830-1839
OEM agent communication,
typically 1830 is used for
Oracle Services
Oracle Advanced
Support Gateway
Infiniband
UDP/161
SNMP for ASR telemetry
SNMP
Zones based on monitoring
service
PDU
Oracle Advanced Support Gateway Security Guide
27
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/
Port
Purpose
TCP/6481
ASR for discovery and
monitoring by service tags
TCP/443
Monitoring configuration and
fault diagnostic collection
Cisco Switch
SPARC Server ILOMs
(virtual/floating addresses as
well as physical addresses)
Primary Domains
Cell Node
Cell Node ILOM
ASR
Oracle Advanced
Support Gateway
Infiniband
SPARC Server ILOMs
(virtual/floating addresses as
well as physical addresses)
Primary Domains
Cell Node
Cell Node ILOM
HTTPS
Oracle Advanced
Support Gateway
SPARC Server ILOMs
(virtual/floating addresses as
well as physical addresses)
Infiniband
ZFS ILOM
Cell Node ILOM
HTTPS - ZFS agent
Oracle Advanced
Support Gateway
ZFS Storage Heads
TCP/215
OEM plug-in communication to
ZFS for monitoring
SSH
Oracle Advanced
Support Gateway
Infiniband
TCP/22
Monitoring configuration, fault
diagnostics and patching
ZFS Storage Heads
ZFS ILOM
SPARC Server ILOMs
(Virtual/Floating addresses as
well as Physical addresses)
Cell Node ILOM
Cell Node
PDU
All Domains
Zones based on monitoring
service
28
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/
Port
Purpose
HTTP/HTTPS
Oracle Advanced
Support Gateway
PDU
TCP/80 (HTTP)
PDU web interface for
monitoring configuration and
diagnostics
Or
TCP/443 (HTTPS)
SSH/Telnet
Oracle Advanced
Support Gateway
Cisco Switch (older switches
support only Telnet)
Oracle Advanced
Support Gateway
Database domains/zones
Oracle Advanced
Support Gateway
SPARC Server ILOMs
(virtual/floating addresses as
well as physical addresses)
TCP/22 (SSH)
Or
Monitoring configuration, fault
diagnostics and patching
TCP/23 (Telnet)
SQL
RCMP+
Client/VIP
Note - if a database is only
listening on a Client/VIP,
access to this interface must
also be allowed.
DB listener port,
default is TCP/1521
DB listener port for discovery
and ongoing monitoring
Note - This is not required for
Platinum Services customers.
UDP/623
Management and monitoring
using ILOM interface (IPMI)
Cell Node ILOM
ZFS ILOM
WebLogic
Oracle Advanced
Support Gateway
WebLogic instances
TCP/7001-7002
Monitoring install and
diagnostics collection
HTTPS (OEM
Agent)
All Domains
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication
to Oracle Advanced Support
Gateway
Note - For SuperCluster,
customers must add static
routes to force all traffic with
Oracle Advanced Support
Gateway as its destination to
use the Management Network
as a primary interface for
communication. The static route
must be permanent because in
the event of any restart of the
nodes, the route will be deleted
and communication between
the agents and Oracle Advanced
Support Gateway will go down.
SNMP
Primary Domains
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events
Zones based on
monitoring service
Infiniband
PDU
Cisco Switch
Oracle Advanced Support Gateway Security Guide
29
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/
Port
Purpose
SPARC Server ILOMs
(virtual/floating
addresses as well as
physical addresses)
Cell Node
Cell Node ILOM
HTTP
Primary Domains
Oracle Advanced Support
Gateway
TCP/5555
Solaris Explorer uploads for
automatic uploads for events
HTTPS
Primary Domains
Oracle Advanced Support
Gateway
TCP/8234
ASR Manager to communicate
with ASR Assets
HTTPS
Oracle Advanced
Support Gateway
SuperCluster Control Domain
TCP/8000
Access to the IO Domain
Creation Tool for Monitoring
and log file collection
ZFS Phone Home
ZFS Storage Heads
asr-services.oracle.com
TCP/443 or proxy
port
ZFS Phone Home can also
support an internet proxy
inv-cs.oracle.com
Direct access or proxy to:
transport.oracle.com
129.157.65.13
Or
129.157.65.14
Proxy IP
ZFS Phone Home
ZFS Storage Heads
Oracle Advanced Support
Gateway
141.146.1.169
TCP/8000
Gateway hosting a proxy server
Firewall Rules Between the Gateway and Exalytics
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Exalytics In-Memory Machine.
TABLE 11
Firewall Rules Between the Gateway and Exalytics
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
ICMP
All monitored
interfaces
Oracle Advanced Support
Gateway
ICMP Type 0 and 8
Used to test network
connectivity between
customer systems and the
Gateway
ICMP
Oracle Advanced
Support Gateway
All monitored interfaces
ICMP Type 0 and 8
Used to test network
connectivity between the
Gateway and customer
systems
SNMP
Oracle Advanced
Support Gateway
Exalytics and Exalytics
ILOM
UDP/161
SNMP for ASR telemetry
30
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
ASR
Oracle Advanced
Support Gateway
Exalytics and Exalytics
ILOM
TCP/6481
ASR for discovery and
monitoring by service tags
HTTPS
Exalytics CDom
Oracle Advanced Support
Gateway
TCP/8234
ASR Manager to
communicate with ASR
Assets
OEM
Oracle Advanced
Support Gateway
Exalytics Domains and
DomU
TCP/1830-1839
OEM Agent communication,
typically 1830 is used for
Oracle Services
SSH
Oracle Advanced
Support Gateway
Exalytics Domains, DomU,
Dom0, and ILOM
TCP/22
Monitoring configuration,
fault diagnostics and patching
SNMP
Exalytics CDom and
ILOM
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events
and/or network monitoring
HTTPS (OEM Agent)
Exalytics Domains and
DomU
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication
to Oracle Advanced Support
Gateway
RCMP+
Oracle Advanced
Support Gateway
Exalytics ILOM
UDP/623
Management and monitoring
via ILOM interface (IPMI)
HTTPS
Oracle Advanced
Support Gateway
Exalytics and Exalytics
ILOM
TCP/443
Monitoring configuration and
fault diagnostic collection
Firewall Rules Between the Gateway and Oracle
Database Appliance
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Database Appliance.
TABLE 12
Firewall Rules Between the Gateway and Oracle Database Appliance
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
ICMP
All monitored
interfaces
Oracle Advanced Support
Gateway
ICMP Type 0 and 8
Used to test network
connectivity between
customer systems and the
Gateway
ICMP
Oracle Advanced
Support Gateway
All monitored interfaces
ICMP Type 0 and 8
Used to test network
connectivity between the
Gateway and customer
systems
SNMP
Oracle Advanced
Support Gateway
DB, Compute Node, and
Compute Node ILOM
UDP/161
SNMP for ASR telemetry
ASR
Oracle Advanced
Support Gateway
DB, Compute Node, and
Compute Node ILOM
TCP/6481
ASR for discovery and
monitoring by service tags
Oracle Advanced Support Gateway Security Guide
31
Firewall Rules for Internal Traffic
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
OEM
Oracle Advanced
Support Gateway
DB, DomU, or Compute
Node
TCP/1830-1839
OEM Agent communication,
typically 1830 is used for
Oracle Services
SSH
Oracle Advanced
Support Gateway
DB, DomU, Compute
Node, and Compute Node
ILOM
TCP/22
Monitoring configuration,
fault diagnostics and patching
SNMP
DB, Compute Node,
and Compute Node
ILOM
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events
and/or network monitoring
HTTPS (OEM Agent)
DB, DomU, and
Compute Node
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication
to Oracle Advanced Support
Gateway
RCMP+ (IPMI)
Oracle Advanced
Support Gateway
Compute Node ILOM
UDP/623
Management and monitoring
via ILOM interface (IPMI)
HTTPS
Oracle Advanced
Support Gateway
DB or Compute Node
ILOM
TCP/443
Monitoring configuration and
fault diagnostic collection
Firewall Rules Between the Gateway and Oracle
Big Data Appliance
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Big Data Appliance.
TABLE 13
Firewall Rules Between the Gateway and Oracle Big Data Appliance
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
ICMP
All monitored
interfaces
Oracle Advanced Support
Gateway
ICMP Type 0 and 8
Used to test network
connectivity between
customer systems and the
Gateway
ICMP
Oracle Advanced
Support Gateway
All monitored interfaces
ICMP Type 0 and 8
Used to test network
connectivity between the
Gateway and customer
systems
SNMP
Oracle Advanced
Support Gateway
Infiniband
UDP/161
SNMP for ASR telemetry
TCP/6481
ASR for discovery and
monitoring by service tags
PDU
Cisco Switch
Compute Node ILOM
DomU, or Compute Node
ASR
32
Oracle Advanced
Support Gateway
Infiniband
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
Application Protocol
Source Interface(s)
Destination Interface(s)
Network Protocol/Port
Purpose
TCP/1830-1839
OEM Agent communication,
typically 1830 is used for
Oracle Services
TCP/22
Monitoring configuration,
fault diagnostics and patching
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events
and/or network monitoring
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication
to Oracle Advanced Support
Gateway
Compute Node
Compute Node ILOM
OEM
Oracle Advanced
Support Gateway
DomU
Or
Compute Node
SSH
Oracle Advanced
Support Gateway
Infiniband
DomU
Compute Node ILOM
PDU
SNMP
Infiniband
PDU
Cisco Switch
Compute Node ILOM
Compute Node
HTTPS (OEM Agent)
Compute Node
DomU
RCMP+ (IPMI)
Oracle Advanced
Support Gateway
Compute Node ILOM
UDP/623
Management and monitoring
via ILOM interface (IPMI)
HTTPS
Oracle Advanced
Support Gateway
Compute Node ILOM
TCP/443
Monitoring configuration and
fault diagnostic collection
SSH/Telnet
Oracle Advanced
Support Gateway
Cisco Switch (older
switches support only
Telnet)
TCP/22 (SSH)
Monitoring configuration,
fault diagnostics and patching
Infiniband
Or
TCP/23 (Telnet)
HTTP
HTTP/HTTPS
Oracle Advanced
Support Gateway
PDU
Oracle Advanced
Support Gateway
Cloudera Manager
TCP/80 (HTTP)
TCP/443 (HTTPS)
TCP/7180 (HTTP)
Or
TCP/7183 (HTTPS)
PDU web interface for
monitoring configuration and
diagnostics
Cloudera Manager web
interface for monitoring
configuration and diagnostics.
The Cloudera Manager must
be HTTPS or HTTP. The
customer may change the
default ports.
Oracle Advanced Support Gateway Security Guide
33
Firewall Rules for Internal Traffic
Firewall Rules Between the Gateway and Oracle
Cloud Machine
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Cloud Machine (OCM).
Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle
using port 443 on OCM.
TABLE 14
Firewall Rules Between the Gateway and Oracle Cloud Machine
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
ICMP
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Oracle Advanced Support
Gateway
Eth-Admin
Used to test network
connectivity between OCM
systems and the Gateway
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Eth-Admin
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ Grill (cigrill)
Oracle Advanced Support
Gateway
EoIB-Management
Oracle Advanced Support
Gateway
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ Grill (cigrill)
EoIB-Management
ICMP
ICMP
ICMP
34
Oracle Advanced Support Gateway Security Guide • April 2017
ICMP Type 8
ICMP Type 0
ICMP Type 8
ICMP Type 0
Used to test network
connectivity between OCM
systems and the Gateway
Used to test network
connectivity between OCM
systems and the Gateway
Used to test network
connectivity between OCM
systems and the Gateway
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
ICMP
The following VMs:
Oracle Advanced Support
Gateway
EoIB-OMS
Used to test network
connectivity between OCM
systems and the Gateway
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
ICMP Type 0
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
TCP/1830-1839
Oracle Advanced Support
Gateway
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ grill (cigrill)
EoIB- Management
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
Eth-Admin
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
ICMP
OEM
OEM
ASR
ICMP Type 8
TCP/1830-1839
TCP/6481
Used to test network
connectivity between OCM
systems and the Gateway
OEM agent
communication, typically
1830 is used for Oracle
Services
OEM agent
communication, typically
1830 is used for Oracle
Services
ASR for discovery and
monitoring by service tags
Oracle Advanced Support Gateway Security Guide
35
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
Web interface for
monitoring configuration
and diagnostics
■ External ZFS Storage
ILOMs
HTTPS
SSH
SSH
SSH
SQL
IPMI
36
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
■ External ZFS Storage
ILOMs
■ PDU
Eth-Admin
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Eth-Admin
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
TCP/22
Oracle Advanced Support
Gateway
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ Grill (cigrill)
EoIB-Management
Oracle Advanced Support
Gateway
Infrastructure Database
(cidb) VMs
EoIB-OMS
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
Eth-Admin
Oracle Advanced Support Gateway Security Guide • April 2017
TCP/443
TCP/22
TCP/22
DB listener port,
default is TCP/1521
UDP/623
Monitoring configuration,
fault diagnostics, and
patching
Monitoring configuration,
fault diagnostics, and
patching
Monitoring configuration,
fault diagnostics, and
patching
DB listener port for
discovery and ongoing
monitoring
Management and
monitoring using the
ILOM interface (IPMI)
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
Oracle Advanced Support
Gateway
EoIB-OMS
OEM agent communication
to Oracle Advanced
Support Gateway
■ External ZFS Storage
ILOMs
HTTPS (OEM
Agent)
The following VMs:
HTTPS (OEM
Agent)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ grill (cigrill)
Oracle Advanced Support
Gateway
EoIB-Management
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
PaaS Management (cipsm)
VMs
EoIB-management
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
Service Deployment
Infrastructure and Tenant
Automation Solution
(cisdi) VMs
EoIB-OMS
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■ Identity Management
(cisim)
■ Integration Cloud
Services (ics)
■ Messaging (msg-mcs)
TCP/7001
HTTPS (Traffic
Director Console)
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■ External routing (cilbe)
■ Internal routing (cilbi)
TCP/8989
HTTPS (PSM
Traffic Director
Console)
Oracle Advanced Support
Gateway
PaaS Management (cipsm)
VMs
EoIB-Management
HTTPS (IDM
Admin)
Oracle Advanced Support
Gateway
External routing (cilbe)
VMs
EoIB-OMS
SNMP
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
Oracle Advanced Support
Gateway
Eth-Admin
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
TCP/1159
TCP/1159
TCP/7101,7103
TCP/7001,7003
TCP/8989
OEM agent communication
to Oracle Advanced
Support Gateway
WebLogic application
management
WebLogic application
management
WebLogic application
management
Oracle Traffic Director
management
PSM Traffic Director
management
IDM administration
TCP/6900,443,4443
UDP/162
SNMP for monitoring
events
Oracle Advanced Support Gateway Security Guide
37
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Eth-Admin
SNMP event enrichment
SNMP
Compute nodes (cn)
Oracle Advanced Support
Gateway
EoIB-Management
SNMP
Oracle Advanced Support
Gateway
Compute nodes (cn)
EoIB-Management
HTTPS
Oracle Advanced Support
Gateway
■ Compute Nodes (cn)
■ Host API Endpoint
■ Admin API Endpoint
EoIB-Management
TCP/443
Secure Web interface
(hardware consoles,
Identity Management
console, API access)
■ Internal ZFS Storage
Controllers
■ External ZFS Storage
Controllers
Oracle Advanced Support
Gateway
Eth-Admin
Optional ZFS ASR proxy
■ Internal ZFS Storage
Controllers
■ External ZFS Storage
Controllers
Oracle Advanced Support
Gateway
Eth-Admin
Oracle Advanced Support
Gateway
■ Internal ZFS Storage
Controllers
■ External ZFS Storage
Controllers
Eth-Admin
Privileged Control VMs
(cipc)
■ External routing (cilbe)
VMs
■ External routing VIP
EoIB-Public
Oracle Advanced Support
Gateway
■ PaaS Management
(cipsm) VMs
■ PaaS Management VIP
Eth-Management
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
SNMP
HTTPS
SSH
HTTP
HTTPS
HTTP
38
UDP/161
UDP/162
SNMP for monitoring
events
SNMP event enrichment
UDP/161
Oracle Advanced Support Gateway Security Guide • April 2017
TCP/8000
Copying of patches
TCP/22
ZFS management
TCP/215
Service monitoring
TCP/6900,443,4443
TCP/80
Service console validation
Firewall Rules for Internal Traffic
Firewall Rules Between the Gateway and Exadata
Cloud Machine
This section provides a number of tables showing the internal firewall rules between the Oracle
Advanced Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM). Please
refer to the following:
■
■
■
“Firewall Rules Between the Gateway and Exadata Cloud Machine” on page 39
“Firewall Rules Between the Gateway and Exadata Cloud Machine
Components” on page 44
“Firewall Rules for the Exadata Rack” on page 46
Firewall Rules Between the Gateway and Exadata Cloud
Machine
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM).
Note - ZFS reporting for ASR is an exception as error telemetry is reported directly to Oracle
using port 443 on ExaCM.
TABLE 15
Firewall Rules Between the Gateway and Exadata Cloud Machine
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
ICMP
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Oracle Advanced Support
Gateway
Eth-Admin
Used to test network
connectivity between
ExaCM systems and the
Gateway
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
Eth-Admin
ICMP
ICMP Type 8
ICMP Type 0
Used to test network
connectivity between
ExaCM systems and the
Gateway
Oracle Advanced Support Gateway Security Guide
39
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
Used to test network
connectivity between
ExaCM systems and the
Gateway
■ Cisco switches
ICMP
ICMP
ICMP
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ Grill (cigrill)
Oracle Advanced Support
Gateway
EoIB-Management
Oracle Advanced Support
Gateway
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ Grill (cigrill)
EoIB-Management
The following VMs:
Oracle Advanced Support
Gateway
EoIB-OMS
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
ICMP Type 0
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
TCP/1830-1839
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
ICMP
OEM
40
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
Oracle Advanced Support Gateway Security Guide • April 2017
ICMP Type 8
ICMP Type 0
ICMP Type 8
Used to test network
connectivity between
ExaCM systems and the
Gateway
Used to test network
connectivity between
ExaCM systems and the
Gateway
Used to test network
connectivity between
ExaCM systems and the
Gateway
OEM agent
communication, typically
1830 is used for Oracle
Services
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
OEM agent
communication, typically
1830 is used for Oracle
Services
■ Integration cloud
services (ics)
■ Messaging (msg)
OEM
ASR
HTTPS
SSH
SSH
SSH
Oracle Advanced Support
Gateway
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ grill (cigrill)
EoIB- Management
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
■ External ZFS Storage
ILOMs
Eth-Admin
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
■ External ZFS Storage
ILOMs
■ PDU
Eth-Admin
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Eth-Admin
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
TCP/22
Oracle Advanced Support
Gateway
■ Compute nodes (cn)
■ Privileged Control VMs
(cipc)
EoIB-Management
TCP/1830-1839
TCP/6481
TCP/443
TCP/22
TCP/22
ASR for discovery and
monitoring by service tags
Web interface for
monitoring configuration
and diagnostics
Monitoring configuration,
fault diagnostics, and
patching
Monitoring configuration,
fault diagnostics, and
patching
Monitoring configuration,
fault diagnostics, and
patching
Oracle Advanced Support Gateway Security Guide
41
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
DB listener port for
discovery and ongoing
monitoring
■ PaaS management
(cipsm)
■ Grill (cigrill)
SQL
Oracle Advanced Support
Gateway
Infrastructure Database
(cidb) VMs
EoIB-OMS
Oracle Advanced Support
Gateway
■ Compute Node ILOMs
■ All Infiniband switches
■ Internal ZFS Storage
ILOMs
■ External ZFS Storage
ILOMs
Eth-Admin
HTTPS (OEM
Agent)
The following VMs:
Oracle Advanced Support
Gateway
EoIB-OMS
HTTPS (OEM
Agent)
■ Privileged Control VMs
(cipc)
■ PaaS management
(cipsm)
■ grill (cigrill)
Oracle Advanced Support
Gateway
EoIB-Management
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
PaaS management (cipsm)
VMs
EoIB-management
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
Service Deployment
Infrastructure and Tenant
Automation Solution
(cisdi) VMs
EoIB-OMS
HTTPS (WebLogic
Consoles)
Oracle Advanced Support
Gateway
The following VMs:
EoIB-OMS
■ Identity Management
(cisim)
■ Integration Cloud
Services (ics)
■ Messaging (msg-mcs)
TCP/7001
HTTPS (Traffic
Director Console)
Oracle Advanced Support
Gateway
Oracle Traffic Director
(cilbe, cilbi) VMs
EoIB-OMS
IPMI
42
■
■
■
■
Database (cidb)
External routing (cilbe)
Internal routing (cilbi)
Service delivery
infrastructure (cisdi)
■ Identity management
(cisim)
■ Integration cloud
services (ics)
■ Messaging (msg)
Oracle Advanced Support Gateway Security Guide • April 2017
DB listener port,
default is TCP/1521
UDP/623
TCP/1159
TCP/1159
TCP/7101, 7103
TCP/7001, 7003
Management and
monitoring using the
ILOM interface (IPMI)
OEM agent communication
to the Gateway
OEM agent communication
to the Gateway
WebLogic application
management
WebLogic application
management
WebLogic application
management
Oracle Traffic Director
management
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
TCP/8989
HTTPS (PSM
Traffic Director
Console)
Oracle Advanced Support
Gateway
PaaS management (cipsm)
VMs
EoIB-Management
HTTPS (IDM
Admin)
Oracle Advanced Support
Gateway
External routing (cilbe)
VMs
EoIB-OMS
SNMP
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Oracle Advanced Support
Gateway
Eth-Admin
Oracle Advanced Support
Gateway
■ All Infiniband switches
■ Internal ZFS Storage
Controllers (sn)
■ External ZFS Storage
Controllers
■ Compute and Storage
ILOMs (ilom)
■ PDU
■ Cisco switches
Eth-Admin
SNMP
Compute nodes (cn)
Oracle Advanced Support
Gateway
EoIB-Management
SNMP
Oracle Advanced Support
Gateway
Compute nodes (cn)
EoIB-Management
HTTPS
Oracle Advanced Support
Gateway
■ Compute Nodes (cn)
■ Host API Endpoint
■ Admin API Endpoint
EoIB-Management
TCP/443
Secure Web interface
(hardware consoles,
Identity Management
console, API access)
■ Internal ZFS Storage
Controllers
■ External ZFS Storage
Controllers
Oracle Advanced Support
Gateway
Eth-Admin
Optional ZFS ASR proxy
■ Internal ZFS Storage
Controllers
■ External ZFS Storage
Controllers
Oracle Advanced Support
Gateway
Eth-Admin
Oracle Advanced Support
Gateway
■ Internal ZFS Storage
Controllers
Eth-Admin
SNMP
HTTPS
SSH
HTTP
TCP/8989
PSM Traffic Director
management
IDM administration
TCP/6900, 443, 4443
UDP/162
SNMP for monitoring
events
SNMP event enrichment
UDP/161
UDP/162
SNMP for monitoring
events
SNMP event enrichment
UDP/161
TCP/8000
Copying of patches
TCP/22
ZFS management
Oracle Advanced Support Gateway Security Guide
43
Firewall Rules for Internal Traffic
Application
Protocol
HTTPS
HTTP
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
■ External ZFS Storage
Controllers
TCP/215
Privileged Control VMs
(cipc)
■ External routing (cilbe)
VMs
■ External routing VIP
EoIB-Public
Oracle Advanced Support
Gateway
■ PaaS management
(cipsm) VMs
■ PaaS management VIP
EoIB-Management
Purpose
Service monitoring
TCP/6900,443,4443
Service console validation
TCP/80
Firewall Rules Between the Gateway and Exadata Cloud
Machine Components
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle Database Exadata Cloud Machine (ExaCM) components.
TABLE 16
Firewall Rules Between the Gateway and Exadata Cloud Machine Components
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
ICMP
Exadata targets:
Oracle Advanced Support
Gateway
Eth-Admin
Used to test network
connectivity between
ExaCM systems and the
Gateway
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■
■
■
■
■
■
■
ICMP Type 0
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■ Exadata Storage ILOM
■ Compute node ILOMs
UDP/623
■
■
■
■
■
■
■
ICMP
IPMI
44
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Oracle Advanced Support Gateway Security Guide • April 2017
ICMP Type 8
Used to test network
connectivity between
ExaCM systems and the
Gateway
Management and
monitoring using the
ILOM interface (IPMI)
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
SSH
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■
■
■
■
■
■
■
TCP/22
Monitoring configuration,
fault diagnostics, and
patching
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■
■
■
■
■
TCP/6481
Exadata targets:
Oracle Advanced Support
Gateway
Eth-Admin
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■
■
■
■
■
■
■
UDP/161
Oracle Advanced Support
Gateway
Exadata targets:
Eth-Admin
■
■
■
■
■
■
TCP/443
Oracle Advanced Support
Gateway
Exadata Cloud Rest API
(ECRA) VMs
ASR
SNMP
■
■
■
■
■
■
■
SNMP
HTTPS
SSH
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
UDP/162
EoIB-Management
TCP/22
ASR for discovery and
monitoring by service tags
SNMP for monitoring
events
SNMP Event enrichment
Monitoring configuration,
fault diagnostics, and
patching
Monitoring configuration,
fault diagnostics, and
patching
Oracle Advanced Support Gateway Security Guide
45
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
OEM
Oracle Advanced Support
Gateway
Exadata Cloud Rest API
(ECRA) VMs
EoIB-Management
OEM agent
communication, typically
1830 is used for Oracle
Services
HTTPS (OEM
agent)
Exadata Cloud Rest API
(ECRA) VMs
Oracle Advanced Support
Gateway
EoIB-Management
HTTPS (application
monitoring)
Oracle Advanced Support
Gateway
Exadata Cloud Rest API
(ECRA) VMs
EoIB-Management
TCP/1830-1839
TCP/1159
TCP/7080, 8001, 9001
OEM agent communication
to the Gateway
Service monitoring and
management
Firewall Rules for the Exadata Rack
This section provides a table showing the firewall rules for the Exadata rack, and is required if
the Exadata rack is isolated from the Oracle Cloud Machine (OCM) and sits behind a firewall.
TABLE 17
Firewall Rules for the Exadata Rack
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network & Network
Protocol/Port
Purpose
SSH
Exadata Cloud Rest API
(ECRA) VMs
Exadata targets:
Eth-Admin
Required for monitoring
■
■
■
■
■
■
■
TCP/22
HTTPS
Exadata Cloud Rest API
(ECRA) VMs
PDU:
IPMI
Exadata Cloud Rest API
(ECRA) VMs
Exadata targets:
Eth-Admin
■ Exadata Storage ILOM
■ Compute node ILOMs
UDP/623
Exadata Storage Servers
Exadata Cloud Rest API
(ECRA) VMs
Eth-Admin
Exadata targets:
Eth-Admin
SNMP
ICMP
46
Exadata Cloud Rest API
(ECRA) VMs
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Eth-Admin
PDU Monitoring
TCP/443
Oracle Advanced Support Gateway Security Guide • April 2017
UDP/1830
EM hardware monitoring
via ipmitool
Exadata Storage Server
alerts are forwarded to
OEM plug-in
Monitor network available
for all Exadata targets
Firewall Rules for Internal Traffic
Application
Protocol
ICMP
Source Interface(s)
Exadata targets:
■
■
■
■
■
■
■
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Destination Interface(s)
Network & Network
Protocol/Port
■
■
■
■
■
■
■
ICMP Type 0
Infiniband
Exadata Storage Servers
Exadata Storage ILOM
Compute nodes
Compute node ILOMs
PDU
Cisco switches
Exadata Cloud Rest API
(ECRA) VMs
Eth-Admin
Purpose
Monitor network available
for all Exadata targets
ICMP Type 8
Firewall Rules Between the Gateway and Oracle
Standalone Hosts
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle standalone hosts.
TABLE 18
Firewall Rules Between the Gateway and Oracle Standalone Hosts
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
SNMP
Oracle Advanced Support
Gateway
Host
UDP/161
SNMP for ASR telemetry
OEM
Oracle Advanced Support
Gateway
Host
TCP/18301839
OEM agent communication,
typically 1830 is used for Oracle
Services
ASR
Oracle Advanced Support
Gateway
Host
TCP/6481
ASR for discovery and monitoring
by service tags
Host ILOM (If Oracle Hardware)
Host ILOM (If Oracle Hardware)
Oracle Advanced Support Gateway Security Guide
47
Firewall Rules for Internal Traffic
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
SSH
Oracle Advanced Support
Gateway
Host
TCP/22
Monitoring configuration, fault
diagnostics and patching
Host
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events and/or
network monitoring
SNMP
Host ILOM (If Oracle
Hardware)
Host ILOM (If Oracle Hardware)
HTTPS
(OEM
Agent)
Host
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
RCMP+
Oracle Advanced Support
Gateway
Host
UDP/623
Management and monitoring using
ILOM interface (IPMI)
HTTPS
Oracle Advanced Support
Gateway
Host
TCP/443
Monitoring configuration and fault
diagnostic collection
HTTPS ZFS agent
Oracle Advanced Support
Gateway
ZFS Storage Heads
TCP/215
OEM plug-in communication to ZFS
for monitoring
HTTPS
Primary Domain
Oracle Advanced Support
Gateway
TCP/8234
ASR Manager to communicate with
ASR Assets
asr-services.oracle.com
TCP/443 or
proxy port
ZFS Phone Home can also support
an internet proxy
Host
ZFS Phone
Home
ZFS Storage Heads
Host ILOM (If Oracle Hardware)
Host ILOM (If Oracle Hardware)
inv-cs.oracle.com
Direct access or proxy to:
transport.oracle.com
■ 129.157.65.13
■ 129.157.65.14
■ 141.146.1.169
Or
Proxy IP
ZFS Phone
Home
ZFS Storage Heads
Oracle Advanced Support
Gateway
TCP/8000
Gateway hosting a proxy server
Firewall Rules Between the Gateway and Oracle
Third-Party Hosts
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and Oracle third-party hosts.
Note - ILOMs on non-Oracle hardware can be monitored by Oracle Advanced Monitoring and
Resolution. ILOMs on non-Oracle hardware cannot be monitored by Oracle Platinum Services
or Oracle Auto Service Request (ASR).
48
Oracle Advanced Support Gateway Security Guide • April 2017
Firewall Rules for Internal Traffic
TABLE 19
Firewall Rules Between the Gateway and Third-Party Standalone Hosts
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
SNMP
Oracle Advanced Support
Gateway
Host
UDP/161
SNMP for ASR telemetry
OEM
Oracle Advanced Support
Gateway
Host
TCP/18301839
OEM agent communication,
typically 1830 is used for Oracle
Services
SSH
Oracle Advanced Support
Gateway
Host
TCP/22
SSH connection for implementation
and ongoing support
SNMP
Host
Oracle Advanced Support
Gateway
UDP/162
SNMP for monitoring events and/or
network monitoring
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
Host ILOM (if Oracle
hardware)
HTTPS
(OEM
Agent)
Host
Host ILOM (if Oracle hardware)
Firewall Rules Between the Gateway and Hosts to
be Monitored by ADS
This section provides a table showing the internal firewall rules between the Oracle Advanced
Support Gateway and hosts to be monitored by Oracle Advanced Database Support (ADS).
Note - Oracle Advanced Database Support (ADS), an Oracle service that offers database fault
monitoring with automatic service request submission, database security compliance reporting,
proactive database health checks, and remote patch deployment, may be added to Platinum and
non-Platinum systems for a fee.
TABLE 20
Firewall Rules Between the Gateway and Hosts to be Monitored by Oracle Advanced Database Support
(ADS)
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
All monitored interfaces
Oracle Advanced Support
Gateway
ICMP Type 0
and 8
Used to test network connectivity
between customer systems and the
Gateway
Oracle Advanced Support Gateway Security Guide
49
Implementation Changes to a Customer System
Application
Protocol
Source Interface(s)
Destination Interface(s)
Network
Protocol/Port
Purpose
ICMP
Oracle Advanced Support
Gateway
All monitored interfaces
ICMP Type 0
and 8
Used to test network connectivity
between the Gateway and customer
systems
SSH
Oracle Advanced Support
Gateway
Host
TCP/22
SSH connection for implementation
and ongoing support
SQL
Oracle Advanced Support
Gateway
Host
DB listener
port, default is
TCP/1521
DB listener port for discovery and
ongoing monitoring
Note - This is not required for
Platinum Services customers.
OEM
Oracle Advanced Support
Gateway
Host
TCP/18301839
OEM agent communication,
typically 1830 is used for Oracle
Services
HTTPS
(OEM
Agent)
Host
Oracle Advanced Support
Gateway
TCP/1159
OEM agent communication to
Oracle Advanced Support Gateway
ZFS, Exalogic, and SuperCluster ASR Endpoint IP
Address Changes
This section provides a table showing ZFS Storage Appliance Racked System, Exalogic, and
SuperCluster ASR Endpoint IP address changes.
TABLE 21
ZFS Storage Appliance Racked System, Exalogic, and SuperCluster ASR Endpoint IP Address Changes
Service
Used By
Old IP Address
New IP Address
inv-cs.oracle.com
ZFS Storage Heads
192.18.110.10
129.157.65.14
192.18.110.13
129.157.65.13
Exalogic
SuperCluster
asr-services.oracle.com
ZFS Storage Heads
Exalogic
SuperCluster
Implementation Changes to a Customer System
This section outlines the changes made to a customer's system during the implementation of
Oracle Gateway Enabled services, including Platinum Services, Business Critical Service
for Systems, Lifecycle Support Services, and Advanced Monitoring and Resolution. Oracle
50
Oracle Advanced Support Gateway Security Guide • April 2017
Implementation Changes to a Customer System
Advanced Support Gateway runs Oracle Enterprise Manager Cloud Control to perform its
monitoring. Oracle Enterprise Manager Cloud Control requires agents to be installed on hosts,
and then uses various plug-ins to monitor those devices that cannot be monitored directly. This
section describes the monitoring method for a device and the configuration to be performed.
Refer to the following sections:
■
■
■
“The Monitoring Matrix” on page 51
“Implementation Impact on the Environment” on page 52
“Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems
” on page 57
The Monitoring Matrix
This section provides a table of devices and shows how each device is monitored.
TABLE 22
Devices and their Associated Monitoring Methods
Device
Monitor
Component
Cloud
Control
Agent
Plug-in Target Type
SNMP Trap
ASR
Engineered
System
Exadata Storage Cell
No
Oracle Exadata Storage Server
Yes
Yes
Engineered
System
Cisco Switch
No
Oracle Engineered System Cisco Switch
Yes
No
Engineered
System
Infiniband Switch
No
Oracle Infiniband Switch
Yes
No
Engineered
System
PDU
No
Oracle Engineered System PDU
Yes
No
Engineered
System
OVS Compute Node
No
Oracle Engineered System ILOM Server
Yes
Yes
Engineered
System
ZFS Array Storage
Heads
No
Oracle ZFS Appliance
No
Yes
(configured
by the
customer)
Exadata
Database Node
Yes
Oracle Engineered System ILOM Server
Yes
Yes
Yes
Yes
Oracle Virtual Platform
Oracle Server
Host
Exalogic
Physical Compute
Node
Yes
Oracle Engineered System ILOM Server
Oracle Advanced Support Gateway Security Guide
51
Implementation Changes to a Customer System
Device
Monitor
Component
Cloud
Control
Agent
Plug-in Target Type
SNMP Trap
ASR
Host
Exalogic
Exalogic Control VM
Yes
Host
No
No
SuperCluster
Control Domains
Yes
Oracle Engineered System ILOM Server
Yes
Yes
SuperCluster
Logical Domains
Yes
Yes
No (covered
by Control
Domain)
Yes
Yes
Host
Standalone Server (including other
Engineered System nodes and VMs, for
example: ODA, BDA, Exalytics)
Yes
Standalone ZFS Array Storage Heads
No
Oracle ZFS Storage Appliance
No
Yes
(configured
by the
customer)
Axiom 600
No
Oracle Axiom
Yes
Yes (Call
Home
Customer
Configured)
Oracle Engineered System ILOM Server
(if Oracle hardware)
Host
Implementation Impact on the Environment
The following sections describe the changes that are made to various types of system during the
implementation process:
■
■
■
■
■
■
■
52
Systems with an agent deployed. See “All Systems With An Agent
Deployed” on page 53.
Engineered System. See “Engineered Systems” on page 54
Engineered System Cisco Switch. See “Engineered System Cisco
Switches” on page 54.
Engineered System Infiniband Switches. See “Engineered System Infiniband
Switches” on page 55.
Engineered System PDU's. See “Engineered System PDU's” on page 55.
OVS Compute Nodes. See “OVS Compute Nodes” on page 55.
Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines /
Control Virtual Machines. See “Exalogic Compute Nodes (Physical Implementation) and
Exalogic Virtual Machines / Control Virtual Machines” on page 56.
Oracle Advanced Support Gateway Security Guide • April 2017
Implementation Changes to a Customer System
■
■
ZFS Storage Array Storage Heads. See “ZFS Storage Array Storage Heads” on page 56.
Pillar Axiom 600. See “Pillar Axiom 600 Storage Arrays” on page 57.
All Systems With An Agent Deployed
The following changes are made to every system on which an agent is deployed:
■
■
■
■
■
■
■
■
■
■
■
An entry is added to the /etc/hosts file for Oracle Advanced Support Gateway
A new group is created on the operating system (OS) of the monitored server. The default
group name is orarom.
A new user is created on the ILOM of the monitored server (if applicable). The default
username is orarom.
A new user is added on the operating system (OS) (orarom) of the monitored server.
The new OS user is added to the group that owns the Oracle Inventory.
A new user is added into the group that owns the database diag directories that are listed in
the oratab file (required for monitoring databases and generating ADR packages)
The Oracle Inventory directory is updated for group read/write permissions
The Database diag directories are updated for group read/write permissions
A directory (/opt/OracleHomes) is created for the agent information based on the
information provided in the Service Implementation Worksheet (SIW). The SIW is a
key part of the planning, execution, and successful implementation of Oracle Supported
Services.
If permission to retain root privileges is given in the configuration worksheet, the sudoers or
RBAC files are updated to allow the new OS user to execute commands as root
For Linux systems, the group of the /var/log/messages file is changed to the new group
(orarom) if the group owner is root.
This allows the agent user to be part of a group that can read the file and the group read
permission is granted. The agent user can then monitor the messages file. If the messages
file is already owned by a different group, the new user is added to that group instead.
■
■
■
■
For Linux systems, the /etc/security/limits.conf file is updated to add the required
settings for the new user (orarom) to meet the agent requirements.
Agents are pushed from Oracle Advanced Support Gateway to the server using the new
user. The storage requirement for the agent is initially around 5GB.
Once the agents have been installed, the root.sh script for the agent is executed.
Root.sh creates or updates /etc/oragchomelist, creates /etc/init.d/gcstartup, creates
/etc/init.d/lockgcstartup, and creates /etc/init.d/lockgcstartup.
For Solaris systems, the explorer tool may be scheduled to execute once per week at 11p
PM on Sunday in root’s crontab.
Oracle Advanced Support Gateway Security Guide
53
Implementation Changes to a Customer System
■
■
For some Solaris systems, host-based fault telemetry is configured for ASR, either updating
snmpd.conf or using asradm, and starting the required services.
ILOMs are configured to send SNMP traps to Oracle Advanced Support Gateway for all
ILOM detected faults of level minor or above for ASR.
Note - For Exadata Nodes, the ILOM rules are configured on the operating system of the
node using the Exadata CLIs (cellcli and dbmcli) rather than directly on the ILOM.
Note - For Exalogic Virtual Machines, a further file is copied from the physical host to /var/
exalogic/info to define it as part of an Exalogic.
Engineered Systems
An Engineered System has strict policies not to allow the creation of new users or the
deployment of agents on the OS.
The changes that are made to these systems are performed in three stages:
■
■
■
■
■
Create a user on the ILOM of the system to allow Oracle to access the ILOM and the
console of the system during troubleshooting. The default username is orarom.
When the system is discovered by Oracle Enterprise Manager Cloud Control, it creates SSH
keys from the monitoring user on the database node(s) to the cellmonitor user within the
storage cell.
Update the snmpsubscribers in the cell software to send the traps to Oracle Advanced
Support Gateway for ASR. This removes any current subscribers that have a type of ASR.
Update the notificationpolicy in the cell software to include "critical,warning,clear".
Update the notificationmethod in the cell software to include snmp.
Engineered System Cisco Switches
The Cisco switch that is installed in the racks of an Engineered System is updated to send traps
to Oracle Advanced Support Gateway, and the SNMP server is enabled to send traps. The
community string is entered if not already set.
54
Oracle Advanced Support Gateway Security Guide • April 2017
Implementation Changes to a Customer System
Engineered System Infiniband Switches
The Infiniband switches that are installed in the racks of an Engineered System are updated
to send traps to Oracle Advanced Support Gateway and a set of SSH keys is created to allow
password-less login from the monitoring agent to the nm2user on the switch.
The SSH keys for Exadata and SuperCluster systems are configured at discovery time.
For the other systems, these are created manually by the installation engineer during the
implementation prior to the target discoveries.
Engineered System PDU's
The PDU modules within the racks of an Engineered System are updated to send traps to Oracle
Advanced Support Gateway, and the PDU thresholds are set to generate alerts based on the
values from the Oracle Engineering teams.
OVS Compute Nodes
The Oracle Virtual Server operating system that is used within an Engineered System that is
running the virtualized stack has strict policies that do not allow the installation of agents on to
the systems. These nodes will have the ILOMs configured to send traps to the OASG for ASR.
A user (orarom) will be created on the OVS Server and granted the following privileges in the
sudoers file:
<user> ALL=/usr/sbin/xentop, /usr/sbin/dmidecode, /sbin/ethtool, /usr/bin/
xenstore-ls, /usr/bin/xenstore-read, /usr/bin/xenstore-list, NOPASSWD: /usr/
sbin/xl, /usr/bin/ipmitool, /usr/sbin/xm, /usr/sbin/imageinfo
This list of commands is used by the Oracle Virtual Platform and Oracle Server target types to
read information about the system and relay the information to OEM.
Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted.
Oracle Advanced Support Gateway Security Guide
55
Implementation Changes to a Customer System
Exalogic Compute Nodes (Physical
Implementation) and Exalogic Virtual Machines /
Control Virtual Machines
These types of system have limited storage space on the root filesystem. Installing an agent on
the root filesystem is deemed to put this limited space at risk. The implementation for these
systems creates a project on the internal ZFS storage array in the rack and creates a filesystem
for each node or VM that has an agent installed.
The installation on the node/VM will then perform the following:
■
Update the (v)fstab to ensure the filesystem is mounted from the ZFS storage array at boot
time.
Mount the filesystem on the required directory.
Install and configure the Exalogic Lifecycle Toolkit, release 14.2.
■
Refer to the Exalogic Lifecycle Tools Note 1912063.1 on the My Oracle Support
(MOS) website at: https://support.oracle.com/epmos/faces/DocumentDisplay?
id=1912063.1.
A user (orarom) will be granted the following privileges in the sudoers file:
■
■
<user> ALL==/usr/sbin/dmidecode, /sbin/ethtool, NOPASSWD: /usr/bin/
ipmitool, /usr/sbin/imageinfo
Note - The profile may be updated if the option for Oracle to retain sudo privilege is
granted.
ZFS Storage Array Storage Heads
The ZFS arrays are appliances that cannot have agents installed on them. Consequently, they are
monitored from another agent using a specific monitoring user. The changes that are carried out
on both of the storage heads in a cluster are as follows:
■
56
Execute the workflow “Configure for Oracle Enterprise Manager”. This always has the
recreateWorksheet setting enabled. If the oracle_agent user and role are already created,
then the recreateUser setting is not enabled. Otherwise it is enabled. If the user is set to be
recreated, the password used is a strong, randomly generated, 16-character password.
Oracle Advanced Support Gateway Security Guide • April 2017
Implementation Changes to a Customer System
Note - The customer can change the password on the oracle_agent user without affecting
the Oracle monitoring solution.
■
■
Create a new user for the Oracle monitoring solution using the role oracle_agent created by
the above workflow. The default username is orarom, but the name is customizable from the
Service Implementation Worksheet (SIW).
Enable advanced_analytics for the new user created above.
Pillar Axiom 600 Storage Arrays
The Axiom 600 storage array is an appliance that cannot have an agent installed on it.
Consequently, it is monitored from another agent using a plug-in. A new user is created with a
Monitor role for the plug-in to perform the connection and obtain the information. The default
username is orarom, but the name is customizable from the Service Implementation Worksheet
(SIW).
Utilization Impact Risk of OEM Cloud Control
Agent on Monitored Systems
Oracle's implementation is designed to be a low risk deployment using scripts to ensure
consistent deployments across all customer implementations. Furthermore, the implementation
is validated for monitoring within Oracle test systems. Oracle makes no changes to customer
applications or files outside of the steps described in the relevant sections on impacts on the
environment above.
The table below outlines the utilization impact that OEM has on the monitored systems.
TABLE 23
Utilization Impact of Oracle Enterprise Manager Cloud Control Agent on Monitored
Systems
Overhead Impact of the Oracle Tools in the Environment
Metric
OEM 12c
CPU Utilization
The OEM 12c Agent uses from 0.02% to 1% of CPU
utilization.
The agent may utilize more CPU cycles, depending on
the number of processes or applications monitored.
Memory Utilization
The OEM 12c Agent needs from 1GB to 2GB RAM to
operate correctly.
Oracle Advanced Support Gateway Security Guide
57
Server Prerequisites for Monitoring Deployment
Overhead Impact of the Oracle Tools in the Environment
Metric
OEM 12c
The actual memory utilization of the agent varies
depending on the number of processes or applications
monitored.
Disk Space Utilization
The OEM agent requires at least 2GB of free disk space
for the installation files.
After installation is complete, the installation files are
removed. The installed OEM agent requires about 1GB
of space initially. As the agent operates, disk space
gradually increases up to 5GB.
Backout Plan
If it is necessary for the installation to be rolled back, Oracle will:.
■
Shutdown the agents that have been configured;
■
Work with the customer to schedule a maintenance window to remove the agents and trap
destinations for all the devices configured for monitoring.
Server Prerequisites for Monitoring Deployment
This section outlines the methods used to provide Oracle with the necessary server access for
implementing monitoring on the Gateway. Refer to the following:
■
■
■
■
■
■
“Monitoring Access: an Overview” on page 58.
“User Privileges” on page 59
“Solaris 11 Initial Setup User RBAC Profile” on page 61
“Solaris 10 Initial Setup User RBAC Profile” on page 63
“Solaris sudo Profile” on page 63
“Linux sudo Profile” on page 64
Monitoring Access: an Overview
In general, there are three methods for providing Oracle the necessary access for implementing
monitoring:
58
Oracle Advanced Support Gateway Security Guide • April 2017
Server Prerequisites for Monitoring Deployment
■
■
■
Provide root access to all systems.
Enable access using Role-based Access Control (RBAC). RBAC is a security feature
for controlling user access to tasks that would normally be restricted to the root role.
By applying security attributes to processes and to users, RBAC can divide superuser
capabilities among several administrators. This option is applicable only to systems running
the Solaris operating system.
Provide access via sudo (superuser do). sudo is a program for operating systems such
as Linux and Solaris that allows users to run programs as another user- normally as the
system’s superuser (root) - as specified in the /etc/sudoers file. This section outlines the
methods used to provide Oracle with the necessary access for implementing monitoring on
the Gateway.
User Privileges
Oracle requires that the user can execute the following commands using root privileges:
■
<Service EM Base Directory>/agent_home/core/12.1.0.5.0/root.sh
■
<Service EM Base Directory>/agent_home/core/12.1.0.4.0/root.sh
■
/opt/exalytics/asr/bda_mon_hw_asr.pl (Exalytics only)
■
/opt/oracle/oak/bin/oakcli (Oracle Database Appliance only)
■
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl (Exadata only)
■
/opt/oracle.cellos/imageinfo (Exadata only)
■
/opt/exalogic/usr/sbin/imageinfo (Exalogic only)
■
/opt/oracle/dbserver/dbms/bin/dbmcli (Exadata and ZDLRA only)
■
/opt/oracle/bda/bin/imageinfo (Big Data only)
■
/opt/oracle/bda/bin/imageinfo (Big Data only)
■
/opt/ipmitool/bin/ipmitool (Solaris only)
■
/opt/ipmitool/sbin/ipmitool (Solaris only)
■
/usr/bin/chmod
■
/usr/bin/chown
■
/usr/bin/chgrp
■
/usr/bin/crontab (Solaris only)
■
/usr/bin/cp
■
/usr/bin/ex
■
/usr/bin/ipmitool
■
/usr/bin/grep
Oracle Advanced Support Gateway Security Guide
59
Server Prerequisites for Monitoring Deployment
■
/usr/bin/ls
■
/usr/bin/mkdir
■
/usr/bin/rmdir
■
/usr/bin/passwd
■
/usr/bin/profiles (Solaris 11 only)
■
/usr/bin/vim
■
/usr/bin/xenstore-list
■
/usr/lib/fm/notify/asr-notify (Solaris 11 only)
■
/usr/sbin/dbmcli (Exadata and ZDLRA only)
■
/usr/sbin/dmidecode (Linux only)
■
/usr/sbin/groupadd
■
/usr/sbin/svcadm (Solaris only)
■
/usr/sbin/useradd
■
/usr/sbin/usermod
■
/usr/sbin/xm
The user provided for the initial setup can be removed once the monitoring has been deployed
and the agent user has been created. The agent user can be a user defined within a naming
service and a home directory mounted from an NFS server. However, the agent installation
directory must be unique to each server to be monitored. If the agent user is configured as part
of a naming service, then the user must belong to the group that owns the Oracle inventory on
all of the servers. The deployment scripts will verify and enforce group write permissions on
any Oracle inventory directory that is discovered by using the /etc/oraInst.loc or the /var/
opt/oracle/oraInst.loc files.
User Privileges for Exalogic Systems
If the user is part of a naming service and NFS mounts are to be defined (Exalogic systems
require NFS mounts), use NFSv4 rather than NFSv3. The configuration of NFSv4 is outside
the scope of this service, but the new mounts are defined with the NFSv4 options, and the
following extra command must be added to the security profile, depending on OS:
■
/usr/sbin/mount (Linux)
■
/sbin/mount (Solaris)
Note - The command paths are related to Solaris. For the Linux paths, please refer to the
sudo settings for Linux.
60
Oracle Advanced Support Gateway Security Guide • April 2017
Server Prerequisites for Monitoring Deployment
Solaris 11 Initial Setup User RBAC Profile
The user for the initial setup requires a profile built from the following configuration file:
set
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
desc="ACS Service Profile"
cmd=<Service EM Base>/agent_home/core/12.1.0.5.0/root.sh
uid=0
cmd=<Service EM Base>/agent_home/core/12.1.0.4.0/root.sh
uid=0
cmd=/opt/oracle.cellos/imageinfo
uid=0
cmd=/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl
uid=0
cmd=/opt/ipmitool/bin/ipmitool
uid=0
cmd=/opt/ipmitool/sbin/ipmitool
uid=0
cmd=/usr/bin/chmod
uid=0
cmd=/usr/bin/chown
uid=0
cmd=/usr/bin/chgrp
uid=0
cmd=/usr/bin/crontab
uid=0
cmd=/usr/bin/cp
uid=0
cmd=/usr/bin/ex
uid=0
cmd=/usr/bin/vim
uid=0
cmd=/usr/bin/grep
uid=0
cmd=/usr/bin/ls
Oracle Advanced Support Gateway Security Guide
61
Server Prerequisites for Monitoring Deployment
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
add
set
end
uid=0
cmd=/usr/sbin/groupadd
uid=0
cmd=/usr/bin/mkdir
uid=0
cmd=/usr/bin/rmdir
uid=0
cmd=/usr/bin/passwd
uid=0
cmd=/usr/bin/profiles
uid=0
cmd=/usr/lib/fm/notify/asr-notify
uid=0
cmd=/usr/sbin/svcadm
uid=0
cmd=/usr/sbin/useradd
uid=0
cmd=/usr/sbin/usermod
uid=0
cmd=/opt/exalogic/usr/sbin/imageinfo
uid=0
If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is
configured by Oracle, and the user must also have the following command added to the profile:
add cmd=/sbin/mount
set uid=0
end
To create the profile from the configuration file above, perform the following as root or as a
user with permission to create new profiles:
profiles -p <Profile name> -f <configuration file>
usermod -P +<Profile name> <user>
This provides the required level of access to perform the creation of the user and group
directories, as well as setting the permissions on the Oracle inventory.
62
Oracle Advanced Support Gateway Security Guide • April 2017
Server Prerequisites for Monitoring Deployment
Solaris 10 Initial Setup User RBAC Profile
Solaris 10 RBAC configuration is controlled through files located in the /etc/security
directory. Append the following lines to the exec_attr file:
ACSSINITIAL:solaris:cmd:::<Service EM
Base>/agent_home/core/12.1.0.5.0/root.sh:uid=0
ACSSINITIAL:solaris:cmd:::<Service EM
Base>/agent_home/core/12.1.0.4.0/root.sh:uid=0
ACSSINITIAL:solaris:cmd:::/opt/ipmitool/bin/ipmitool:uid=0
ACSSINITIAL:solaris:cmd:::/opt/ipmitool/sbin/ipmitool:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chmod:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chown:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/chgrp:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/crontab:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/cp:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/ex:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/vim:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/grep:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/groupadd:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/ls:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/mkdir:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/rmdir:uid=0
ACSSINITIAL:solaris:cmd:::/usr/bin/passwd:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/svcadm:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/useradd:uid=0
ACSSINITIAL:solaris:cmd:::/usr/sbin/usermod:uid=0
If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is
configured by Oracle, and the user must also have the following command added to the profile:
ACSSINITIAL:solaris:cmd:::/sbin/mount:uid=0
Append the following line to the prof_attr file:
ACSSINITIAL:::Oracle Install Profile:
Once these entries have been added, update the user that will be used for the initial installation
to allow access to the profile:
usermod -P ACSSINITIAL <user>
Solaris sudo Profile
For Solaris users, add the following entries to the sudoers file:
Oracle Advanced Support Gateway Security Guide
63
Server Prerequisites for Monitoring Deployment
Cmnd_Alias
ACSSINSTALL = /usr/bin/chmod, /usr/bin/chown, \
/usr/bin/chgrp, /usr/bin/crontab, /usr/bin/cp, \
/usr/bin/ex, /usr/bin/grep, /usr/sbin/groupadd, \
/usr/bin/ls, /usr/bin/mkdir, /usr/bin/passwd, \
/usr/bin/profiles, /usr/lib/fm/notify/asr-notify, \
/usr/bin/rmdir, /usr/sbin/svcadm,/usr/sbin/asradm, \
/usr/sbin/useradd, /usr/sbin/usermod, \
<ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\
<ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\
/opt/ipmitool/bin/ipmitool, /opt/ipmitool/sbin/ipmitool, \
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \
/opt/oracle.cellos/imageinfo, \
/opt/exalogic/usr/sbin/imageinfo
<user> ALL=(ALL) ACSSINSTALL
The user must also have the sudo binary in their path to allow it to execute without a full path.
If the OEM agents are installed using an NFS mount that is to be configured by Oracle, then the
user must also have the following command alias created as assigned to the user:
Cmnd_Alias
ACSSHAREDINSTALL = /sbin/mount
<user> ALL=(ALL) ACSSHAREDINSTALL
Linux sudo Profile
For Linux users, add the following entries to the sudoers file:
Cmnd_Alias
64
ACSSINSTALL = /bin/chmod, /bin/chown, \
/bin/chgrp, /bin/cp, /bin/ex, \
/bin/grep, /bin/ls, /bin/mkdir, /bin/rmdir, \
/opt/exalytics/asr/bda_mon_hw_asr.pl, \
/usr/bin/passwd, /usr/sbin/groupadd, \
/usr/sbin/useradd, /usr/sbin/usermod, \
/usr/bin/ipmitool, /usr/bin/xenstore-list, \
/opt/oracle/oak/oakcli, /usr/sbin/dmidecode, \
/opt/exalytics/asr/bda_mon_hw_asr.pl, \
<ServiceEMBase>/agent_home/core/12.1.0.5.0/root.sh,\
<ServiceEMBase>/agent_home/core/12.1.0.4.0/root.sh,\
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl, \
/opt/oracle.cellos/imageinfo, \
/opt/oracle/dbserver/dbms/bin/dbmcli, \
/opt/exalogic/usr/sbin/imageinfo, \
/usr/sbin/imageinfo, /usr/sbin/xm, \
/opt/oracle/bda/bin/imageinfo
Oracle Advanced Support Gateway Security Guide • April 2017
Storage Prerequisites for Monitoring Deployment
<user> ALL=(ALL) ACSSINSTALL
The user must also have the sudo binary in their path to allow it to execute without a full path.
If the Oracle Enterprise Manager (OEM) agents are installed on an Exalogic, an NFS mount is
configured by Oracle, and the user must also have the following command added to the profile:
Cmnd_Alias
ACSSHAREDINSTALL = /bin/mount
<user> ALL=(ALL) ACSSHAREDINSTALL
Storage Prerequisites for Monitoring Deployment
This section outlines storage requirements for the monitoring deployment. Refer to the
following sections:
■
■
“Monitoring Deployment: an Overview” on page 65
“Oracle ZFS Storage Appliances” on page 65
Monitoring Deployment: an Overview
The storage systems do not have the same privilege promotion capabilities as the servers do;
each storage system has a different method of granting access privileges. There are 3 options to
provide Oracle with the necessary access for implementing monitoring:
■
■
■
Provide administrator access to the system.
For some systems, create a user with the necessary privileges for Oracle to configure a new
user for monitoring.
Create the monitoring user per the system requirements.
For information on which options are available for the various storage systems, refer to the
following sections.
Oracle ZFS Storage Appliances
The information in the following sections defines the properties for the users used in the
deployment of monitoring and the standard monitoring users. Further privileges are required for
patching the systems during a patch cycle. Refer to the following sections:
■
■
“Restricted User for Monitoring Deployment (AKSH Shell)” on page 66
“Monitoring User Requirements” on page 66
Oracle Advanced Support Gateway Security Guide
65
Storage Prerequisites for Monitoring Deployment
■
■
“Restricted User for Monitoring Deployment User (ILOM)” on page 66
“Monitoring User Requirements (ILOM)” on page 67
Restricted User for Monitoring Deployment (AKSH Shell)
You can create a user with the following privileges to be used during the monitoring
deployment:
TABLE 24
Privileges for a Restricted User for Monitoring Deployment
Object
Permissions
worksheet.*.*
modify
stat.*
■ read
■ create
user.*
■
■
■
■
■
workflow.*.*
read
role.*
■ changeAuths
■ changeDescription
■ create
changePassword
changePreferences
changeProperties
changeRoles
create
Monitoring User Requirements
You can create the monitoring user using the following high level steps:
■
■
■
■
■
Execute the workflow outlined in the section “Configure for Oracle Enterprise Manager
Monitoring”, ensuring to select creation of the worksheet.
Create a new user for monitoring.
Assign the oracle_agent role to this user.
Set the preferences for the user to enable Advanced Analytics.
Add the stat.* create authorization to the oracle_agent role.
Restricted User for Monitoring Deployment User (ILOM)
You can create a user with the role of u to allow Oracle to create a new user for use with the
monitoring.
66
Oracle Advanced Support Gateway Security Guide • April 2017
Audit Logging Feature
Monitoring User Requirements (ILOM)
In order to provide monitoring and diagnostic collection on the ZFS ILOM, including initiating
an NMI to the host, the monitoring user requires the permissions cro.
Audit Logging Feature
The Audit Logging Feature of the Oracle Advanced Support Gateway provides audit
information for three different categories of system events. The three categories are:
■
■
■
Outbound Network Connections: The Linux firewall service (iptables) triggers notifications
for all outbound network traffic with the exception of traffic to Oracle managed hosts used
for monitoring and management (for example, Oracle VPN end points, dts.oracle.com,
support.oracle.com).
Outbound Login Activity: The Linux auditing service (auditd) triggers notifications for
all outbound login attempts initiated from the Oracle Advanced Support Gateway. This is
done by monitoring usage of the ssh and telnet system binaries. Oracle Advanced Support
Gateway sends a message that ssh or telnet has been used, by which user, and when. The
destination is not provided. auditd logs contain that information. auditd logs are not directly
accessible by the customer on Oracle Advanced Support Gateway.
Inbound Oracle Advanced Support Gateway User Login Activity: The Linux auditing
service (auditd) triggers notifications each time any of the system logs used for tracking
logins is updated. This includes failed logins and successful login attempts. It also triggers
a notification each time a user logs in from a remote system. These activities are monitored
using auditd and forwarded to the customer's central logging system.
All audit notifications are delivered using standard syslog protocol. A central logging system
must be provided to accept and process these messages.
The format of most of these messages is based on auditd. They can be managed using various
auditd and related utilities.
The audit logging feature is disabled by default, and must be explicitly enabled through the
Oracle Advanced Support Gateway command line interface (CLI). The details of how to
configure this feature are explained in the following section:
Initial Login
Note - Outbound Network Connection logging can be enabled by Oracle staff for 3.7.3, 3.8, and
3.9 Gateways.
Oracle Advanced Support Gateway Security Guide
67
Audit Logging Feature
1. Use ssh to connect to the Oracle Advanced Support Gateway.
Use the customer administrator account configured at installation time or any other user
with the customer administrator role.
2. At the first (CLI or CLISH) prompt, enter the password.
3. At the next prompt enter configure terminal.
4. At the next prompt enter syslog.
You are now in the syslog-specific section of the Oracle Advanced Support Gateway CLI
where you can configure forwarding.
Available Commands
Command
Description
help
To display a list of available commands.
?
To display a brief explanation of how to enter commands in the CLI.
stat
To display the current configuration.
This produces a display similar to the following:
------------- SyslogBroadcaster Configuration -----------Message Forward Status = enabled
Host IP Address = 1.2.3.4
Host Port Number = 514
Host Time Zone = GMT
firewall Message Forward = enabled
ssh Message Forward = enabled
session Message Forward = enabled
UID/GUID Mapping = enabled
-----------------------------------------------------------
forward enable
To enable syslog forwarding.
forward disable
To disable syslog forwarding.
ip <ip address>
To enter the IP address of the remote syslog server (the one receiving the forwarded
messages).
You must enter a valid IP address, not a host name.
port <port #>
To change the port used for forwarding syslog messages.
timezone <value>
To set the time zone used in the forwarded syslog messages.
Value must be -12 to +12 which is the offset from GMT.
mapping enable
To convert the uid and guid contained in each message to the corresponding Unix user
and group name.
mapping disable
68
Oracle Advanced Support Gateway Security Guide • April 2017
Audit Logging Feature
Enabling and Disabling Logging Messages
The following paragraphs show the commands to enable and disable logging messages, and
provide examples of the resulting messages.
In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname).
In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced with
uid=0 and gid=0.
Any combination of the following three categories can be enabled or disabled.
Outbound Network Connectivity
■
To enable or disable this type of message forwarding:
firewall enable
firewall disable
These messages are generated by iptables and represent all outbound network traffic with the
exception of traffic to known addresses used for Oracle monitoring.
The following example shows messages as they are seen on the system that receives the
forwarded syslog messages.
Result from an nslookup command:
Jul 31 15:10:01 Jul-31 15: 10:01 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn
DST=nn.nn.nn.nn LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=33101 DF
PROTO=UDP SPT=30849 DPT=53 LEN=39 UID=jsmith GID=admin
Result from an ssh command:
Jul 31 15:13:22 Jul-31 15: 13:22 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host kernel: iptables: IN= OUT=eth0 SRC=nn.nn.nn.nn
DST=nn.nn.nn.nn LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46937 DF
PROTO=TCP SPT=54842 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0 UID=jsmith GID=admin
Outbound Login Activity
■
To enable or disable this type of message forwarding:
ssh enable
ssh disable
The following example shows a message as it is seen on the system that receives the forwarded
syslog messages.
Oracle Advanced Support Gateway Security Guide
69
Audit Logging Feature
Result from an ssh command:
Jul 31 15:22:15 Jul-31 15: 22:14 GMT+00:00 0:0:0:0:0:0:0:1 NA:
sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1437567767.027:17839321): arch=c000003e syscall=59
success=yes exit=0 a0=124e030 a1=123d7f0 a2=1246d90 a3=10
items=2 ppid=22614 pid=25252 auid=54373 uid=jsmith gid=admin euid=54373
suid=54373 fsuid=54373 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594
comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="gateway_audit"
Oracle Advanced Support Gateway User Login Activity
■
To enable or disable this type of message forwarding:
session enable
session disable
The following examples show messages as they are seen on the system that receives the
forwarded Syslog messages.
Example of ssh being invoked on Oracle Advanced Support Gateway:
Aug 1 21:37:02 Aug-01 17: 37:02 GMT-04:00 0:0:0:0:0:0:0:1
NA: sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1375393022.626:187186): arch=c000003e syscall=59 success=yes
exit=0 a0=7fa860e69380 a1=7fa860e697e0 a2=7fa860e69ca0 a3=0 items=2
ppid=1428 pid=12967 auid=4294967295 uid=jsmith gid=admin euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key="SESSION"
Result from an su command on Oracle Advanced Support Gateway:
Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1
NA: sample-host audispd: node=sample-host type=SYSCALL
msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes
exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1
ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0
egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="SESSION"
70
Oracle Advanced Support Gateway Security Guide • April 2017
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement