Re: Question - Fusion Middleware inside Cloud Control or no?

I recognize the problem, but this is where I typically "educate" the people involved. Security is not about, "always apply all patches to all systems all the time". It is about identifying risk in context. All audit and security processes allow for "exceptions to the rule". It is up to you to identify where an exception is required and document why it is required and any relevant risks, or why they are not risks in this context. Provided that is all done correctly, there is no harm done.

Of course, if your client refuses to accept this, they are stupid and you have to decide how to deal with this. Personally, I walk away. I've got better things to do with my life than deal with idiot customers. :) I understand not everyone has that option... :)

Cheers

Tim...

On Mon, Nov 16, 2015 at 1:28 PM, Chris Taylor < christopherdtaylor1994_at_gmail.com> wrote:

> Yeah, I'm sure that works for customers who have requirements to apply the
> latest CPU patches for Oracle products as part of the their Security
> requirements enforced by the CISO organization.
>
> As a an IT guy, I understand your point - I get it. As part of a
> corporate organization, selling the fact that we didn't apply the latest
> Security CPUs because of any reason doesn't really work (even if we have
> the box locked down). I assume you recognize that as a problem.
>
> Regards,
> Chris
>
>
> On Mon, Nov 16, 2015 at 1:43 AM, Tim Hall <tim_at_oracle-base.com> wrote:
>
>> Dude! It's a black box. Block off comms to the server using the OS
>> firewall, so the only way to get to it is SSH and the relevant ports. All
>> internal comms within EM can be left alone. You are just making work for
>> yourself.
>>
>> The agent comms should be secured, but that happens anyway...
>>
>> Cheers
>>
>> Tim...
>>
>> On Mon, Nov 16, 2015 at 4:01 AM, Chris Taylor <
>> christopherdtaylor1994_at_gmail.com> wrote:
>>
>>> Can you reach the Fusion Middleware Overview inside EM 12c (12.1.0.5) or
>>> not? If so, I can't find it but apparently I need to be able to at some
>>> point? Securing EM 12c is going to get the better of me yet. (note that
>>> in the 12c Recommended Patches it specifically says to update the JDK which
>>> breaks a god awful amount of stuff in the communications.
>>>
>>> Background:
>>> 1. Installed EM12c (12.1.0.5)
>>> --Everything seems to be working fine
>>> 2. Proceed to Applying Enterprise Manager 12c Recommended Patches (Doc
>>> ID 1664074.1) and Enterprise Manager 12.1.0.5.0 (PS4) Master Bundle Patch
>>> List (Doc ID 2038446.1)
>>> 3. Proceed to break the EM12 installation. Seems to be related to CERTS
>>> and/or WALLETS and/or KEYSTORES.
>>>
>>> So, I was trying to figure out how to create the wallets/certs/keystores
>>> so that all the components can successfully talk to each other following
>>> these notes:
>>>
>>> a.) OHS 11g Mod_wl_ohs via SSL to WebLogic Server Fails - WLLogFile
>>> Shows " [READ_ERROR_FROM_SERVER] (socket read failure) "
>>> (which points to)
>>> b.) Configuring Mod_wl_ohs to Use SSL between Oracle HTTP Server and
>>> Weblogic Server in FMW 11g (11.1.1.X) (Doc ID 1268723.1)
>>> (which points to)
>>> c.) Configuring Oracle HTTP Server to Use SSL in Fusion Middleware 11g
>>> (11.1.1.X) (Doc ID 1226933.1)
>>> (which points to)
>>> ​d.) ​
>>> Master Note for SSL Configuration in Fusion Middleware 11g (Doc ID
>>> 1218695.1)
>>>
>>>
>>
>

--
http://www.freelists.org/webpage/oracle-l