Re: Oracle Configuration Manager

Using OCM in Disconnected Mode with Masking

There is sensitive information being collected from the OCM tool. If you are employed by an organization that doesn’t allow you to reveal such information, or direct access by the servers to the Internet, there are steps to improve the security of this upload process. This section is highly recommended to be reviewed before enabling OCM. You must know what types of information are there, and how that information is used before enabling uploading capabilities to a support website.

To disable the collection of IP and MAC addresses, you add the following entries to the $ORACLE_HOME/ccr/config/collector.properties file.

To disable the collection of network addresses, add the following entry:

       ccr.metric.host.ecm_hw_nic.inet_addressúlse

To disable the collection of the MAC address, add the following entry:

       ccr.metric.host.ecm_hw_nic.mac_addressúlse

The OCM Collector collects the schema usernames for databases configured for configuration collections. The collection of this information is filtered or masked when 'ccr.metric.oracle_database.db_users.username' is assigned the value of 'mask' in the $ORACLE_HOME/ccr/config/collector.properties file. The default behavior of the collector is to not mask this data.

MOS customers may request deletion of their configuration information by logging a Service Request (SR) indicating the specific configuration information and scope of the deletion request.

Disconnected Mode is done with something called Oracle Support Hub which is installed at your site. This hub is configured as a local secure site for the direct uploads from your nodes which the hub can then upload to MOS through the Internet. This would protect each of your nodes from any type of direct Internet access.

Finally there is a way to do a manual upload of a single node by the method outlined in this MOS document: 763142.1 How to upload the collection file ocmconfig.jar to My Oracle Support for Oracle Configuration Manager (OCM) running in Disconnected Mode. This is probably the safest method to use OCM, run it for a specific purpose with appropriate masking built in and then request the information to be deleted by entering a SR request.

On Sat, Sep 17, 2011 at 5:06 AM, Nuno Souto <dbvision_at_iinet.net.au> wrote:

> MacGregor, Ian A. wrote,on my timestamp of 16/09/2011 5:48 AM:
> > Every time I open an SR, the idea of using OCM very much
> > appeals to me. Especially the ability for Oracle to perform health
> > checks and recommend patches. However according to the documentation
> > the encryption of the data is based PKCS with a 128-bit key.
> > IF this is true, then why bother encrypting at all? Also the
> information
> > collected includes such things as the database users and other such
> > information which could cause a world of hurt, should it fall in the
> > wrong hands.
>
> Like for example, the MAC address of all network cards in your system.
> Exactly the kind of information any hacker would love to have to penetrate
> one's
> firewall and other net-based security.
> Why on Earth is this not disabled by default is beyond me - what possible
> purpose would Oracle need that info inthe first place other than some
> demented,
> ignorant developer leaving it on "just because"?
> The main reason why in a pig's arse OCM will EVER be installed in any
> system I
> manage...
>
>
> --
> Cheers
> Nuno Souto
> in sunny Sydney, Australia
> dbvision_at_iinet.net.au
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
April C. Sims
IOUG SELECT Journal Executive Editor
http://aprilcsims.wordpress.com
Twitter, LinkedIn
Oracle Database 11g – Underground Advice for Database Administrators
<http://www.amazon.com/Oracle-Database-Underground-Advice-Administrators/dp/1849680000/ref=sr_1_1?ie=UTF8&s=books&qid72289339&sr=8-1#noop>
https://www.packtpub.com/oracle-11g-database-implementations-guide/book
OCP 8i, 9i, 10g, 11g DBA
Southern Utah University
aprilcsims_at_gmail.com

--
http://www.freelists.org/webpage/oracle-l