Saturday, May 24, 2008

How to Secure Oracle 10g/11g Enterprise Manager for SSL

Recently a poster on the Oracle Forums ( asked a question on how to secure Oracle 10g Database Control for Enterprise Manager (OEM) with SSL. I had to do this for some military customers when we migrated to secured networks for Oracle 10g.

According to the Oracle documentation and various tips from Oracle Metalink, Oracle uses wallets to provide the ability to secure OEM via SSL layer.

The emctl secure commands provide the tools to setup the wallet based security with SSL to lock down the Oracle 10g Database or Grid Control environment.

Oracle® Enterprise Manager Advanced Configuration
10g Release 2 (10.2)

The emctl secure agent utility performs the following actions:

* Obtains an Oracle Wallet from the Management Service that contains a unique
digital certificate for the Management Agent. This certificate is required in order for
the Management Agent to conduct SSL communication with the secure
Management Service.

* Obtains an Agent Key for the Management Agent that is registered with the
Management Service.

* Configures the Management Agent so it is available on your network over HTTPS
and so it uses the Management Service HTTPS upload URL for all its
communication with the Management Service.

To enable Enterprise Manager Framework Security for the Management Agent:

1. Ensure that your Management Service and the Management Repository are up
and running.
2. Change directory to the following directory:

AGENT_HOME\bin (Windows)

3. Stop the Management Agent:

PROMPT> ./emctl stop agent

4. Enter the following command:

PROMPT> ./emctl secure agent (UNIX)
PROMPT> emctl secure agent (Windows)

The emctl secure agent utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.

Alternatively, you can enter the command all on one line, but if you enter the
command on one line, the password you enter will be displayed on the screen as
you type:

PROMPT> ./emctl secure agent agent_registration_pwd (UNIX)
PROMPT> emctl secure agent agent_registration_pwd (Windows)

Here is sample output for the various options for emctl secure command:

C:\>emctl secure
Oracle Enterprise Manager 10g Database Control Release

Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.

Usage :
secure oms -sysman_pwd -reg_pwd [-hos
t ] [-reset] [-secure_port ]
secure agent
secure em
secure dbconsole []
secure setpwd
secure status [oms url]
secure lock | unlock

In this case, I have Oracle 10g on Windows XP with Database Control for EM.
Here is an example:

C:\>emctl secure dbconsole oracle oracle karma

Oracle Enterprise Manager 10g Database Control Release
Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.


Checking Repository... Done.
Checking Repository for an existing Enterprise Manager Root Key... Done.
Generating Enterprise Manager Root Key (this takes a minute)... Done.
Fetching Root Certificate from the Repository... Done.
Generating Registration Password Verifier in the Repository... Done.
Updating HTTPS port in file... Done.
Generating Java Keystore...Certificate was added to keystore
Certificate reply was installed in keystore
Securing OMS ... Done.
Generating Oracle Wallet Password for Agent.... Done.
Generating wallet for Agent ... Done.
Copying the wallet for agent use... Done.
Storing agent key in repository... Done.
Storing agent key for agent ... Done.
Configuring Agent...
Configuring Agent for HTTPS... Done.
EMD_URL set in C:\oracle\product\10.2.0\db_1/karma_orcl/sysman/config/emd.prop
Configuring Agent ... Done.
Configuring Key store.. Done.

No comments: