Hi.
I recognize the problem, but this is where I typically "educate" the people
involved. Security is not about, "always apply all patches to all systems
all the time". It is about identifying risk in context. All audit and
security processes allow for "exceptions to the rule". It is up to you to
identify where an exception is required and document why it is required and
any relevant risks, or why they are not risks in this context. Provided
that is all done correctly, there is no harm done.
Of course, if your client refuses to accept this, they are stupid and you
have to decide how to deal with this. Personally, I walk away. I've got
better things to do with my life than deal with idiot customers. :) I
understand not everyone has that option... :)
Cheers
Tim...
On Mon, Nov 16, 2015 at 1:28 PM, Chris Taylor <
christopherdtaylor1994@xxxxxxxxx> wrote:
Yeah, I'm sure that works for customers who have requirements to apply the
latest CPU patches for Oracle products as part of the their Security
requirements enforced by the CISO organization.
As a an IT guy, I understand your point - I get it. As part of a
corporate organization, selling the fact that we didn't apply the latest
Security CPUs because of any reason doesn't really work (even if we have
the box locked down). I assume you recognize that as a problem.
Regards,
Chris
On Mon, Nov 16, 2015 at 1:43 AM, Tim Hall <tim@xxxxxxxxxxxxxxx> wrote:
Dude! It's a black box. Block off comms to the server using the OS
firewall, so the only way to get to it is SSH and the relevant ports. All
internal comms within EM can be left alone. You are just making work for
yourself.
The agent comms should be secured, but that happens anyway...
Cheers
Tim...
On Mon, Nov 16, 2015 at 4:01 AM, Chris Taylor <
christopherdtaylor1994@xxxxxxxxx> wrote:
Can you reach the Fusion Middleware Overview inside EM 12c (12.1.0.5) or
not? If so, I can't find it but apparently I need to be able to at some
point? Securing EM 12c is going to get the better of me yet. (note that
in the 12c Recommended Patches it specifically says to update the JDK which
breaks a god awful amount of stuff in the communications.
Background:
1. Installed EM12c (12.1.0.5)
--Everything seems to be working fine
2. Proceed to Applying Enterprise Manager 12c Recommended Patches (Doc
ID 1664074.1) and Enterprise Manager 12.1.0.5.0 (PS4) Master Bundle Patch
List (Doc ID 2038446.1)
3. Proceed to break the EM12 installation. Seems to be related to CERTS
and/or WALLETS and/or KEYSTORES.
So, I was trying to figure out how to create the wallets/certs/keystores
so that all the components can successfully talk to each other following
these notes:
a.) OHS 11g Mod_wl_ohs via SSL to WebLogic Server Fails - WLLogFile
Shows " [READ_ERROR_FROM_SERVER] (socket read failure) "
(which points to)
b.) Configuring Mod_wl_ohs to Use SSL between Oracle HTTP Server and
Weblogic Server in FMW 11g (11.1.1.X) (Doc ID 1268723.1)
(which points to)
c.) Configuring Oracle HTTP Server to Use SSL in Fusion Middleware 11g
(11.1.1.X) (Doc ID 1226933.1)
(which points to)
d.)
Master Note for SSL Configuration in Fusion Middleware 11g (Doc ID
1218695.1)
