This section outlines the principal changes made to Oracle Advanced Services Gateway Security Guide (this document) since the last release (E40643-62; March 2025).
We have added new endpoints into the external firewall rules access. All Gateway customers are required to open to us-phoenix-1 and to open one or more of the other listed endpoints depending on the Gateway location.
See Downloading the Firewall Rules Document from My Oracle Support.
We have clarified the scope of the firewall rules that must be applied for every customer Gateway.
All Gateways must implement:
Firewall rules between the Gateway and the customer network. See Firewall Rules Between the Gateway and the Customer Network.
Firewall rules for Gateway hardware self-monitoring. See Firewall Rules for Gateway Hardware Self-Monitoring.
Firewall rules that apply for the systems to be monitored by the Gateway.
See Downloading the Firewall Rules Document from My Oracle Support.
In this release, we are distributing a new Gateway user interface that enables users to work on three main functional areas:
Remote access control
Syslog forwarding
System proxy
Users can check the status of various system settings and make changes to these systems.
These Gateway features can be updated using the interface in two separate modes:
Interactive, or
Non-interactive
We have added further maintenance activity tasks performed by Oracle and outline the frequency with which each task is carried out.
Gateway agents (oasg_agent) installed on customer systems are upgraded every month
Oracle Autonomous Health Framework (AHF) agents installed on customer systems are upgraded every month
OEM agents installed on customer systems are upgraded every quarter
Due to updates to the password expiration policy of the monitoring user orarom for Exadata and ZDLRA systems, /usr/bin/chage has been added to the Linux sudo profile.
Due to an issue with the Oracle Autonomous Health Framework (AHF) installation, the sudoer's profile for the installation user has been revised so that the following entries:
/tmp/install_ahf_no_cfg.sh
/tmp/install_ahf.sh
Have been revised as follows:
<ServiceEMBase>/install_ahf_no_cfg.sh
<ServiceEMBase>/install_ahf.sh
See User Privileges.
The configuration of InfiniBand switches has been updated. nm2user no longer exists; we use the ilom-operator user instead. The InfiniBand switches that are installed in the racks of an Engineered System are updated to send traps to the Gateway and a set of SSH/SCP keys is created to allow password-less login from the monitoring agent to the ilom-operator user on the switch.