4 Keeping Oracle Database Appliance Secure

Use the policies and procedures described in this chapter to keep Oracle Database Appliance secure.

Topics:

• Securing the Hardware
  Oracle recommends that you implement the security policies described here to restrict access to the hardware.
• Securing the Software
  Review and implement security features and policies for your appliance software.
• Configuring a Third-Party Certificate for Oracle Database Appliance
  The Browser User Interface and DCS Controller use SSL-based HTTPS protocol for secure communication. Understand the implications of this added security and the options to configure SSL certificates.
• Maintaining a Secure Environment
  After you implement security policies and methods on your appliance, review these topics to understand how to maintain a secure environment.

Securing the Hardware

Oracle recommends that you implement the security policies described here to restrict access to the hardware.

After installation of Oracle Database Appliance, secure the hardware.

Hardware Security Methods and Procedures

• Install Oracle Database Appliance and related equipment in a locked, restricted-access room.

• Restrict access to hot-pluggable or hot-swappable devices because the components can be easily removed by design.

• Limit SSH listener ports to the management and private networks.

• Limit allowed SSH authentication mechanisms. By default, inherently insecure SSH authentication methods are disabled.

• Mark all significant items of computer hardware, such as FRUs.

• Record the serial numbers of the components in Oracle Database Appliance, and keep a record in a secure place. All components in Oracle Database Appliance have a serial number.

Securing the Software

Review and implement security features and policies for your appliance software.

Oracle Database Appliance Operating System and Server Security Policies

• Change all default passwords when the system is installed at the site.

  Oracle Database Appliance uses default passwords for initial installation and deployment that are widely known. A default password that is still in effect could allow unauthorized access to the equipment. Devices such as the network switches have multiple user accounts. Be sure to change all account passwords on the components in the rack.

• Create and use Oracle Integrated Lights Out Manager (ILOM) user accounts for individual users

  Using ILOM user accounts ensures a positive identification in audit trails, and results in less maintenance when administrators leave the team or company.

• Restrict physical access to USB ports, network ports, and system consoles.

  Servers and network switches have ports and console connections, which provide direct access to the system.

• Restrict the capability to restart the system over the network.

• Enable available database security features, as described in Oracle Database Security Guide.

Oracle Database Security Features

Oracle Database Appliance can leverage all the security features available with Oracle Databases installed on legacy platforms. Oracle Database security products and features include the following:

• Oracle Advanced Security

• Data Masking

• Oracle Database Firewall

• Oracle Database Vault

• Oracle Label Security

• Oracle Secure Backup

• Oracle Total Recall

• Oracle Audit Vault. Note that Oracle Audit Vault may not be configured to run on Oracle Database Appliance directly. Instead, Oracle Database Appliance may be configured to use an instance of Oracle Audit Vault that runs on a separate server.

Using the Oracle privileged user and multi-factor access control, data classification, transparent data encryption, auditing, monitoring, and data masking, customers can deploy reliable data security solutions that do not require any changes to existing applications.

Configuring a Third-Party Certificate for Oracle Database Appliance

The Browser User Interface and DCS Controller use SSL-based HTTPS protocol for secure communication. Understand the implications of this added security and the options to configure SSL certificates.

The Browser User Interface provides an added layer of security using certificates and encryption, when an administrator interacts with the appliance. Encryption of data ensures that:

• Data is sent to the intended recipient, and not to any malicious third-party.
• When data is exchanged between the server and the browser, data interception cannot occur nor can the data be edited.

When you connect to the Browser User Interface through HTTPS, the DCS Controller presents your browser with a certificate to verify the identity of appliance. If the web browser finds that the certificate is not from a trusted Certificate Authority (CA), then the browser assumes it has encountered an untrusted source, and generates a security alert message. The security alert dialog boxes display because Browser User Interface security is enabled through HTTPS and SSL, but you have not secured your Web tier properly with a trusted matching certificate from a Certificate Authority. To avoid this warning, you can purchase a trusted certificate from a Certificate Authority.

To configure your certificate, create your own key and Java keystore, ensure it is signed by a Certificate Authority (CA) and then import it for use.

Note:

For Oracle Database Appliance High-Availability hardware models, run the configuration steps on both nodes.

• Creating a Key and Java Keystore and Importing a Trusted Certificate
  Use keytool, a key and certificate management utility, to create a keystore and a signing request.
• Configuring the DCS Server to Use Custom Keystore
  After packaging or converting your keystore into Java keystore, configure the DCS server to use your keystore.
• Configuring the DCS Agent To Use a Custom Certificate
  After you import the certificate into the keystore, configure the DCS agent to use the same certificate.

Creating a Key and Java Keystore and Importing a Trusted Certificate

Use keytool, a key and certificate management utility, to create a keystore and a signing request.

1. Create the keystore:

   keytool -genkeypair -alias your.domain.com -storetype jks -keystore 
   your.domain.com.jks -validity 366 -keyalg RSA -keysize 4096

2. The command prompts you for identifying data:

   1. What is your first and last name? your.domain.com
   2. What is the name of your organizational unit? yourunit
   3. What is the name of your organization? yourorg
   4. What is the name of your City or Locality? yourcity
   5. What is the name of your State or Province? yourstate
   6. What is the two-letter country code for this unit? US

3. Create the certificate signing request (CSR):

   keytool -certreq -alias your.domain.com -file your.domain.com.csr
   -keystore your.domain.com.jks -ext san=dns:your.domain.com

4. Request a Certificate Authority (CA) signed certificate:
   1. In the directory where you ran Step 1 above, locate the file your.domain.com.csr.
   2. Submit the file to your Certificate Authority (CA).
      Details vary from one CA to another. Typically, you submit your request through a website. Then the CA contacts you to verify your identity. CAs can send signed reply files in a variety of formats, and CAs use a variety of names for those formats. The CA's reply must be in PEM, PKCS#7, or P7B format.
   3. There may be a waiting period for the CA's reply.
5. Import the CA's reply. The CA's reply will provide one PKCS file, or P7B file, or multiple PEM files.
   1. Copy the CA's files into the directory where you created the keystore in Step 1 above.
   2. Use keytool to import the keystore certificate and the CA reply files:
      To import the P7B file, run the command:

      keytool -importcert -alias your.domain.com -file CAreply.p7b -keystore your.domain.name.jks -trustcacerts

      To import the PKCS file, run the command:

      keytool -importcert -trustcacerts -alias your.domain.com -file 
      CAreply.pkcs -keystore /opt/oracle/dcs/conf/dcs-ca-certs

      CAreply.pkcs is the name of the PKCS file provided by the CA and your.domain.com is the complete domain name of your server.

      If the CA sent PEM files, then there may be one file, but most often there are two or three. Import the files to your keystore with commands in the order shown below, after substituting your values:

      keytool -importcert -alias root -file root.cert.pem -keystore /opt/oracle/dcs/conf/dcs-ca-certs -trustcacerts
      keytool -importcert -alias intermediate -file intermediate.cert.pem /opt/oracle/dcs/conf/dcs-ca-certs -trustcacerts
      keytool -importcert -alias intermediat2 -file intermediat2.cert.pem /opt/oracle/dcs/conf/dcs-ca-certs -trustcacerts
      keytool -importcert -alias your.domain.com -file server.cert.pem /opt/oracle/dcs/conf/dcs-ca-certs -trustcacerts

      root.cert.pem is the name of the root certificate file and intermediate.cert.pem is the name of the intermediate certificate file. The root and intermediate files link the CA's signature to a widely trusted root certificate that is known to web browsers. Most, but not all, CA replies include roots and intermediates. server.cert.pem is the name of the server certificate file. The file links your domain name with your public key and the CA's signature.

Configuring the DCS Server to Use Custom Keystore

After packaging or converting your keystore into Java keystore, configure the DCS server to use your keystore.

1. Login to the appliance.

   ssh -l root oda-host-name

2. Generate the obfuscated keystore password:

   /opt/oracle/dcs/java/java_version/bin/java -cp /opt/oracle/dcs/bin/dcs-controller-n.n.n.n.n.jar com.oracle.oda.dcs.password.utils.OBFCredentials keystore-password

   For example:

   # /opt/oracle/dcs/java/java_version/bin/java -cp /opt/oracle/dcs/bin/dcs-controller-19.23.0.0.0.jar com.oracle.oda.dcs.password.utils.OBFCredentials test OBF:"1z0f1vu91vv11z0f"

   Copy the obfuscated password that starts with OBF:.

3. Update the following in /opt/oracle/dcs/conf/dcs-controller.yml:

   ssl:
         key-store:
           path: file:/opt/oracle/dcs/conf/custom_dcsKey.jks
           type: "JKS"
           password: "obfuscated keystorepassword"
         trust-store:
           path: file:/opt/oracle/dcs/conf/dcs-ca-certs
         key:
           alias: "your.domain.com"

4. Restart the DCS controller.

   systemctl stop initdcscontroller
   systemctl start initdcscontroller

   The DCS controller log file /opt/oracle/dcs/log/dcs-controller.log displays the following lines:

   2022-05-13 04:23:37,266 INFO [main] [] c.o.o.c.DCSControllerSSLConfig: Custom keystore password is set
   2022-05-13 04:23:37,266 INFO [main] [] c.o.o.c.DCSControllerSSLConfig: Custom truststore password is set

5. Access the Browser User Interface at https://oda-host-name:7093/mgmt/index.html.

Configuring the DCS Agent To Use a Custom Certificate

After you import the certificate into the keystore, configure the DCS agent to use the same certificate.

1. Update the DCS agent configuration file:

   cd /opt/oracle/dcs/conf

   Update the following parameters in the dcs-agent.yml file:

   dcs:
     config:
       secondary-server:
         ssl:
           key-store: file:/opt/oracle/dcs/conf/custom_dcsKey.jks
           type: "JKS"
           trust-store: file:/opt/oracle/dcs/conf/dcs-ca-cacerts
           alias: "your.domain.com"
           password: "obfuscated keystorepassword"

2. Restart the DCS agent:

   systemctl stop initdcsagent
   systemctl start initdcsagent

3. Access the agent at https://oda-host-name:7070.
4. Update the CLI certificates.

   cp -f /opt/oracle/dcs/conf/dcs-ca-certs /opt/oracle/dcs/dcscli/dcs-ca-certs

5. Update the DCS command-line configuration files:

   [root@]# cd /opt/oracle/dcs/dcscli

   Update the following parameters in dcscli-adm.conf and dcscli.conf:

   TrustStorePath=/opt/oracle/dcs/dcscli/dcs-ca-certs
   TrustStoreKeyPassword=keystore_password

Maintaining a Secure Environment

After you implement security policies and methods on your appliance, review these topics to understand how to maintain a secure environment.

Topics:

• About Secure Environments
  Oracle recommends that you review and update your operational and administrative access policies regularly to maintain a secure environment.
• Maintaining Network Security
  After the networks are configured based on the security guidelines, carry out regular review and maintenance to ensure that secure host and ILOM settings remain intact and in effect.
• Updating Software and Firmware
  Oracle regularly introduces security enhancements in new releases and patch sets.
• Ensuring Data Security Outside of Oracle Database Appliance
  Follow security practices when you back up your data to external storage.

About Secure Environments

Oracle recommends that you review and update your operational and administrative access policies regularly to maintain a secure environment.

After you implement security policies and features for your system, Oracle recommends that your organization establishes a security review policy. As part of your security policy, periodically update and review your software, hardware, and user access.

For example, check all users and administrators granted access to Oracle Database Appliance, and to its deployed services. Verify if the levels of access and privilege that you have granted to users and administrators remains appropriate.

Without regular security reviews, the level of access granted to individuals could increase unintentionally, due to role changes, or due to changes to default settings. Oracle recommends that you review access rights for operational and administrative tasks regularly. Regular reviews can help to ensure that user level of access remains aligned to the roles and responsibilities for each user.

Maintaining Network Security

After the networks are configured based on the security guidelines, carry out regular review and maintenance to ensure that secure host and ILOM settings remain intact and in effect.

Follow these guidelines to ensure the security of local and remote access to the system:

• Manage the management network switch configuration file offline, and limit access to the file to only authorized administrators.

• Add descriptive comments for each setting in the configuration file. Consider keeping a static copy of the configuration file in a source code control system.

• Use access control lists to apply restrictions where appropriate.

• Set time-outs for extended sessions and set privilege levels.

• Use authentication, authorization, and accounting (AAA) features for local and remote access to a switch.

• Use the port mirroring capability of the switch for intrusion detection system (IDS) access.

• Implement port security to limit access based upon a MAC address. Disable auto-trunking on all ports for any switch connected to Oracle Database Appliance.

• Limit remote configuration to specific IP addresses using SSH.

• Require users to use strong passwords by setting minimum password complexity rules and password expiration policies.

• Enable logging and send logs to a dedicated secure log host.

• Configure logging to include accurate time information, using NTP and timestamps.

• Review logs for possible incidents and archive them in accordance with the organization's security policy.

Updating Software and Firmware

Oracle regularly introduces security enhancements in new releases and patch sets.

Effective proactive patch management is a critical part of system security. Oracle recommends that you install the latest release of the software, and install all necessary security patches on the equipment.

To establish baseline security, Oracle recommends that you apply only Oracle-recommended software and security patches

Ensuring Data Security Outside of Oracle Database Appliance

Follow security practices when you back up your data to external storage.

Ensure that you back up your data to external storage. Oracle recommends that you store backups in an off-site, secure location. Retain the backups according to your organizational policies and requirements.

When you dispose of old disk drives, physically destroy the drive, or completely erase all the data on the drive. Deleting the files or reformatting the disk drive removes only the address tables on the drive. The information can still be recovered from a disk drive after deleting files or reformatting the drive. If you want to retain replaced disk drives and flash drives, instead of returning them to Oracle, then you can use the Oracle Database Appliance disk retention support option.