1. Security Guide
  2. Security Features for Oracle Private Cloud Appliance
  3. Service Enclave Security Features

Service Enclave Security Features

The appliance administrator's working environment is the Service Enclave. It is the part of the system where the appliance infrastructure is controlled. It provides tools for hardware and capacity management, tenancy control, and centralized monitoring of components at all system layers. Changes to setting in the Service Enclave can affect appliance availability.

Because the scope of the Service Enclave encompasses the entire appliance, access to the Service Enclave should be tightly controlled. Some best practices for the Service Enclave include:

  • Do not share user information

  • Create a limited number of users for the Service Enclave

  • Use the Service Enclave Groups to control access for the users: ADMIN, MONITOR, SUPERADMIN, DRADMIN (Refer to the section on Administrator Access in the Oracle Private Cloud Appliance Concepts Guide for a description of the roles available in the Service Enclave)

  • Creation of a user with the DRADMIN role may only be able to be done via the Service Enclave CLI at this time

Locally defined users (as opposed to federated users) have access to the Private Cloud Appliance via the Compute Web UI and the OCI CLI. Refer to the chapter on working in the Service Enclave in the Oracle Private Cloud Appliance Administrator Guide for accessing the Service Enclave.

Creating a Secure Compute Enclave Tenancy with Identity Provider

An Identity Provider (IdP) can be used for access to the Service Enclave User Interface. Once one or more IdPs are created and groups are mapped, the users in the directory can access the Service Enclave User Interface via the browser. Identity users do not gain access to the Administrative CLI.

For more information about managing IdPs, users and groups, see the "Federating with Microsoft Active Directory" section in the Oracle Private Cloud Appliance Administrator Guide.

Creating a Secure Compute Enclave Tenancy

A tenancy is an Oracle Private Cloud Appliance environment where users of the tenancy create and manage cloud resources in order to build and configure virtualized workloads. All the tenancies in the environment are collectively referred to as the Compute Enclave. A Service Enclave administrator that is a part of the SUPERADMIN group can create and delete a tenancy. As part of the creation process, the Service Enclave administrator defines the administrator for the tenancy. Once the tenancy and tenancy administrator are created, the Service Enclave Administrator can only change tenancy description or delete the tenancy and all contents. All modifications of the resources within a tenancy are handled by the tenancy users.

Some general best practices for a secure Compute Enclave tenancy:

  • Do not use the same initial password for the initial administrator in each tenancy

  • Consider using different administrator user names for each tenancy

  • Advise the new tenancy administrator to immediately change the password upon receiving the tenancy administrator information

  • Do not convey the user and password for Grafana access to the new tenancy administrator (monitoring and logging through Grafana is for the entire appliance)

Once created, the resources built by tenancy users in the new tenancy are owned by the tenancy, not by the Service Enclave, though resources for all tenancies come from a single pool of resources.

For more information about managing IdPs, users and groups, see the "Tenancy Management" section in the Oracle Private Cloud Appliance Administrator Guide.

Certification Expiration

Various certificates are used throughout the Oracle Private Cloud Appliance. The certificate key algorithm and expiration for various certificates is shown in the following table.
Certificate Public Key Algorithm Expiration
PCA 3.0 Root Certificate Authority (CA) RSA 4096 bit 20 years
PCA 3.0 Intermediate CA used for internal services RSA 4096 bit 10 years
PCA 3.0 Intermediate CA used for external-facing services RSA 4096 bit 10 years
PCA 3.0 Server certificate RSA 2048 bit 1 year
PCA 3.0 Client certificate RSA 2048 bit 1 year
Vault generated server certificate (automated rotation) RSA 2048 bit 31 days
Vault generated ephemeral certificate (automated rotation) RSA 2048 bit 1 hour
Compute Certificate Signing Request (CSR) - Vault client certificate RSA 2048 bit 1 year

Some short-lived certificates have automated rotation. If a customer replaces certificates, then those certificates are outside the scope of the table.

Your Own CA Trust Chain

In the Oracle Private Cloud Appliance architecture, you can provide your own CA certificates which lets you use your CA trust chain to access the rack's external interfaces.

Note:

OpenSSH clients must be at least version openssh-clients-7.4p1 or later.

For instructions, see "Accessing External Interfaces with Your Certificate Authority Trust Chain" in the Oracle Private Cloud Appliance Administrator Guide.

Audit Logs

Audit logs for the Service Enclave are available from the Grafana dashboard and are intermixed with the logs from the Service Enclave UI web server and the admin service itself.

For using various filters to isolate audit information, see the "Accessing System Logs" and "Audit Logs" sections of the Oracle Private Cloud Appliance Administrator Guide.

Monitoring and Logging

The monitoring and logging information (including audit logs) for Oracle Private Cloud Appliance is accessed via the centralized Grafana console, a link is provided from the dashboard of the Service Enclave UI. At this time there is only one user profile available from Grafana. Data in Grafana applies to all tenancies, the Service Enclave and infrastructure components. To protect the information available in Grafana:

  • Do not distribute the login information for Grafana (or Prometheus)

  • Centralize requests for information from tenancy administrators through the Grafana administrator (including VM statistics, audit information for a particular tenancy, etc...)

For more information on status and health monitoring, see the "Status and Health Monitoring" section of the Oracle Private Cloud Appliance Administrator Guide.

Security Patches to Maintain a Secure Environment

Security patches are a subset of the patches provided via the patch process. For more information, refer to the process described in the Oracle Private Cloud Appliance Patching Guide