Re: Metalink Fiasco

  • From: Job Miller <jobmiller@xxxxxxxxx>
  • To: rodd.holman@xxxxxxxxx
  • Date: Wed, 11 Nov 2009 16:28:41 -0800 (PST)

I suspect the details of what OCM collects and transmits are available.
I don't remember the detail in the OCM licensing agreement though.  I'll have 
to go back and check.


It says:

For further information about what information is collected by OCM and how it 
is used and protected, please consult the OCM license terms and other 
supporting documentation available on MetaLink.

If you are afraid of it phoning home, you can run it in disconnected mode as 

763142.1 How to upload the collection file ocmconfig.jar to My Oracle Support 
for Oracle Configuration Manager (OCM) running in Disconnected Mode.

The link above goes into detail about the security built into OCM and its 
back-end repository inside Oracle's data center.

Oracle Configuration Manager (OCM), downloadable from MetaLink, is used to 
upload your environment configuration information. OCM gathers configuration 
information and loads that information to a Customer Configuration Repository 
(CCR) at Oracle. Providing the auto-collected configuration information to 
Oracle is voluntary and is done only with your consent through acceptance of 
the OCM license agreement.

You control the installation and configuration of OCM. If you configure it to 
send information to Oracle, OCM pushes your selected configuration uploads to 
the Oracle CCR on a regular basis. OCM only initiates outbound communications 
to Oracle, and does not listen for inbound communications.

OCM configuration information is used to assist in the SR diagnosis and 
resolution process. OCM does not collect production data, business transactions 
or passwords.

In order to collect detailed database configuration information, your Oracle 
database must be configured with certain OCM provided PL/SQL procedures. OCM 
provides scripts that you need to run against the Oracle database after you 
install OCM. These scripts create a database account called ORACLE_OCM in the 
Oracle database. The account stores the PL/SQL procedures that collect the 
configuration information, and owns the database management system (DBMS) job 
that performs the collection. After the account has been set up, it is 
immediately locked and the password expired because login privileges are no 
longer required or desired.

You can choose to enable auto-update for OCM. OCM auto-update uses 
authentication and encryption. Before any downloaded update is applied, the 
digital signature is validated, confirming the update was signed with a 
certificate issued to Oracle (this certificate is different from the 
certificate used to secure the communications link). The signing software is on 
a system not connected to the Oracle corporate network.

When transmitting configuration information to Oracle, OCM uses Secure Socket 
Layer (SSL) and industry standard protocol (HTTPS) as well as 128bit encryption 
using public/private key exchange (otherwise known as asymmetric encryption) 
for all communications. OCM authenticates Oracle as the recipient by 
interrogating the certificate returned by Oracle (a recognized certificate 
authority, specified by Oracle, issues the certificate to Oracle).

The OCM upload server(s) are deployed in a firewall protected DMZ network. 
There is no direct Internet connection to the application server. The OCM site 
resolves to an IP address registered to a virtual server on a SSL 
Accelerator/Reverse Proxy to encrypt the information and mask the location of 
the source and destination. At the termination point of the SSL encryption, 
reverse proxy forwards traffic to the application server. Configuration 
information is then pushed to the CCR database tiers on Oracle’s internal 

Oracle utilizes a network Intrusion Detection Systems (nIDS) to provide 
continuous surveillance on the OCM upload site to intercept and respond to 
security events as they are identified.

Oracle conducts quarterly vulnerability scans on the OCM upload server to 
detect known vulnerabilities.

The configuration information collected in the CCR is secured inside Oracle's 
Tier IV Austin Data Center and protected by Oracle network security 
infrastructure and security teams.

Customers may request deletion of their configuration information by logging a 
Service Request indicating the specific configuration information and scope of 
the deletion request.

For further information about what information is collected by OCM and how it 
is used and protected, please consult the OCM license terms and other 
supporting documentation available on MetaLink.

--- On Wed, 11/11/09, Rodd Holman <rodd.holman@xxxxxxxxx> wrote:

> From: Rodd Holman <rodd.holman@xxxxxxxxx>
> Subject: Re: Metalink Fiasco
> To: 
> Cc: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
> Date: Wednesday, November 11, 2009, 1:44 PM
> I agree desktop vs. enterprise
> issue.  I was just making the point that 
> I get very wary of call home functionality in any system.
> Alex Fatkulin wrote:
> > I think we need to be careful in extrapolating
> consumer issues into
> > enterprise issues. I get the problem you had were with
> WPA (Windows
> > Product Activation) and OEM Win XP (which is bound to
> "computer" as
> > opposed to "proper" retail version).
> >
> > No one is going to lock your SQL or Exchange (or what
> other enterprise
> > software you might be running) servers, I think this
> is what Niall has
> > been talking about.
> >   
> --


Other related posts: